Fortinet Blog | News and Threat Research

February 1st is National “Change Your Password Day.” … Well, maybe not, but it should be, according to Gizmodo, and there are plenty of reasons why.

Most people know they should apply unique passwords, replete with a complex mix of alphanumerics and symbols, to every account. And they also know they should change those passwords every few months.

But let’s face it. Most users also have a list of accounts the size of a small phone book. These days,you need a password to access just about any online service – airline tickets, banking, ordering Chinese takeout. Many of these accounts are for services that the user has accessed a handful of times, and unless they invest in multi-platform password managers or have a photographic memory that rivals Steven Hawking’s, it’s pretty hard to keep them all straight.

In the spirit of the New Year, Gizmodo suggests users get the ball rolling on new password habits by changing their password on Feb. 1 – a kind of positive peer-pressure approach akin to holding hands and jumping into a swimming pool.

It’s a good start, but to truly reduce the risk of account compromise, users will have to apply a few other password best practices:

Use a Unique Password for Each Account: Or perhaps more precisely, refrain from using the same password for multiple accounts. This one is perhaps the most obvious, but it’s the biggest pitfall.

In fact, as Fortinet’s Carl Windsor points out in his recent blog, your password, regardless of complexity, is at the mercy of the organizations that store them in a hash. Hackers aren’t just cracking individual passwords; cybercriminals have hacked into the allegedly security-rich databases of Internet giants, posting tens of thousands to millions of users’ passwords online. And it’s a pretty safe bet many of those users relied on the same passwords for e-mail accounts and more critical applications such as banking or PayPal. You could have the most complicated password ever derived by man, and it would make little difference if it was posted on the Web for the world to see in plain text.

Consider Two-Factor Authentication – No, Seriously: Fortinet’s 2013 threat predications report shows the password-only security model will likely go the way of the dodo. These days, cybercriminals have access to easily downloadable tools that can crack simple four- or five-character passwords in minutes. The cloud has only accelerated this process, enabling miscreants to make 300 million passwords attempts in 20 minutes at a cost of less than $20. That pretty much renders a single-password approach obsolete.

In 2013, it’s likely organizations will implement two-factor authentication technologies for employees, which generally consists of a Web-based login requiring a user password coupled with a secondary password that arrives through the user’s mobile device or as a standalone security token.  It’s a mechanism that likely seems cumbersome and unintuitive, but that will change with time, as the solution becomes more accepted and widely adopted. When in doubt, ask yourself if it’s really less time-consuming than embarking on the password reset process yet again.

When All Else Fails, Write Them Down: What? Isn’t this what you’ve been told not to do? Well, yes, but the reality is that your account is a lot more likely to be hacked and exposed over the Web than by someone breaking into your house and stealing a slip of paper securely tucked in your desk. That said, it’s best not to keep that password list on a note taped to your computer or in a place where lots of people can easily access it. It will also give you the ability to get creative and develop truly complex passwords without the burden of remembering nuanced numbers and letters.

If the idea of writing down passwords still is uncomfortable, consider adopting a password manager. A lot of browsers come equipped with a function that creates random secure passwords and then stores them across multiple systems. Users have only to remember one password to access the tool, and then the browser applies the correct site credentials as needed.

Throughout 2013, it’s likely password security will be under the microscope as cybercriminals implement brute force attacks that infiltrate password databases and expose users’ login credentials. We can start bolstering defenses in simple ways, such a changing our passwords.

February 1st is “Change Your Password Day.” There’s no time like the present to get started.