Chances are, if you’re like the average American, you could use some help with strengthening your passwords. In fact according to our latest report, almost half (49%) of Americans admit to using the same password across multiple sites...
If you haven’t seen the report, be sure to read our overview here
We’re here to help.
In honor of World Password Day, celebrated every May 7th, I sought the advice of a few cybersecurity experts to get their take on what we can all do to improve our password habits.
What is one piece of advice you would give a consumer? What is most important for an SMB to keep top of mind?
Change your password regularly and do NOT rely on passwords alone if additional ways of signing on are available. Most Banks offer using your cell phone to send passcodes as additional proof of who you are and there are of course fingerprints or even authentication apps. George Anderson, Product Marketing Director, Webroot
Use a password manager like LastPass that keeps you regimented by not using the same passwords too often and makes sure you change your password often. It requires you to be diligent about the level of security of your passwords. Charlie Tomeo, VP, Channel Sales, Webroot
Enable MFA on all accounts where available. David Dufour, VP, Engineering , Webroot
For consumers, start creating better hygiene around password creation. Taking the initial time to set up every account with a unique/strong password may seem daunting, but do it once and then that’s it. By investing a small amount of time upfront to set up a password manager and/or create new passwords/login, and you are much safer from potential threats. Recently, I myself received a phishing type request that began with telling me that they had access to an old password of mine, which probably scares a lot of people who have been using the same passwords for decades. But I knew I no longer used that password and it was clearly found in a dump of login creds from a hack many years ago, so I had no need to worry. And that’s what it’s all about, eliminating the worry! Briana Butler, Sr. Engineering Data Analyst, Webroot
Webroot’s recent Riskiest States report found that 34% of Americans share passwords with others, and there’s been little to no improvement in Americans’ cyber practices over the past several years. Why do you think that is the case?
I think we're at the human limit of password practices and management getting better. Passwords first came into use in 1961 at MIT, so we're almost 60 years into it. Passwords are hard - they require brainpower to track and manage. It's not a matter of people not taking it seriously - they do - it's about tradeoffs for how you can use your limited brainpower in a given day. Hal Lonas, SVP and CTO, SMB & Consumer, Webroot
It’s the ‘It won’t happen to me’ syndrome, many are simply naive about the risks they face and how easy it is for them to be a victim of Identity Theft, Banking fraud, etc. Recent research we did on phishing painted an even bleaker picture where 30% of those who had their login details stolen didn’t even change them afterward! How insane is that? That’s the ‘lightning doesn’t strike twice in the same place’ syndrome that unfortunately when it comes to automated cybercrime is just not true. George Anderson, Product Marketing Director, Webroot
We’ve seen a shift over time to use biometrics which could be one way to help reduce the risk of traditional passwords. Until we see technologies like these become more ubiquitous (i.e. not just on your phone), they can’t replace passwords but this a strong contender. Jamie Zajac, VP, Product Management, Carbonite
Most of the issues are due to most people not believing they are a target and overall lack of education. I think now is a good time for changing their behavior. With the Pandemic, we are seeing more people working from home and online activity at an all-time high. Charlie Tomeo, VP, Channel Sales, Webroot
Why is multi-factor authentication better than simply having a strong password?
It gives us another way to make sure that the person logging in is who they say they are. Having said that, there are myriad ways to implement MFA - I think people appreciate the ones that make it easier. Having to type an 8 digit number from an SMS message into a web site can be really challenging. I also might have trouble using MFA if I'm on an airplane or otherwise traveling. Hal Lonas, SVP and CTO, SMB & Consumer, Webroot
Why do you have two locks on your door? More is better! Andy Mallinger, VP, Product Management, Webroot
If you were to fall for phishing, share a password, the password cracked - the account is not compromised unless they also have access to another device like your phone. While not 100% breach-proof, it will drastically increase security posture. Tyler Moffit, Security Analyst, Webroot
What is the biggest misconception SMBs and/or consumers have when it comes to password protection/management?
That it is secure. On their own passwords, no matter how strong, are not secure from a concerted attack. George Anderson, Product Marketing Director, Webroot
That special characters and numbers do anything for a more secure password. Password cracking software does not care about the characters used, but instead the length of the password. Length is strength. Tyler Moffit, Security Analyst, Webroot
One of the biggest misconceptions about passwords with SMBs and consumers is the thinking that just having a strong password is enough. Phishing for credentials is one of the biggest reasons why it's not enough. Password Security needs to be thought of as a layered defense just like any security leveraging multiple measures for protection. Another layer would include MFA. Charlie Tomeo, VP, Channel Sales, Webroot
How does effective password protection/management contribute to cyber resilience?
It's just one factor of many layers of cyber resilience. But if passwords are compromised, it's like giving up the "keys of your kingdom." Hal Lonas, SVP and CTO, SMB & Consumer, Webroot
A password is another essential security layer that has a purpose if it’s a strong password, changed regularly, and changed for each sign-in and application. It’ s a key component of identification, authentication and often the access permission layers needed. And, combined with other identification and authentication checks and security layers acts is a strong way of protecting systems, users, and data. George Anderson, Product Marketing Director, Webroot
Two things here really:
- You want to protect your sensitive information – whether it is stored on your local computer or stored in an online service. Having good password practices helps
- You can’t rely on a single item (strong passwords) to do this. To protect yourself (and your family or your business), you need to have a multi-layered approach to security. Use good passwords, don’t click on unknown links, run a security software suite on your computer, backup your data, and make sure you have a secure network. The more protections you have in place, the harder it is for someone to steal your information and thus the more secure you are. Jamie Zajac, VP, Product Management, Product Management
Being resilient by definition means we are able to recover quickly from difficulties, and in the cyber realm that means that we can manage/mitigate any type of adverse actor or threat. Having good password management further enables us to work as a team with our customers to continue to defend and be tough against cyber criminals. Briana Butler Sr. Engineering Data Analyst