The password dilemma: Creating strong passwords to protect your data

Passwords…for many, they are the bane of our existence. Good cyber hygiene requires that they be 12 characters or more, not include anything personally recognizable like a birthday or the dog's name, and that they include numbers and other characters. Oh, and you'll need to change it every three to six months, usually either late at night or as you're trying to get into a meeting or purchase something for the first time from an online vendor. Sound familiar?

A new report from NordPass and NordStellar, Top 200 Most Common Passwords, looks at the most popular passwords across 44 countries and the methodologies for choosing them. Despite knowing that bad actors and other hackers are intent on stealing their passwords and possibly more, many individuals still opt for easy ("weak") credentials over more complex options that could be harder to crack.

According to Nordpass, in the U.S., "admin" is the number one choice, while "password" comes in second. Globally, "123456" is the most frequently used password, followed by "admin" and "12345678," as well as "qwerty123."

Researchers did notice an uptick in the use of special characters in passwords, but they were still extremely simplistic in their usage such as "P@ssw0rd," "Admin@123" or "Abcd@1234."

Generationally, password habits for Gen Z are surprisingly similar to those of baby boomers, with numeric combinations the frequent choice of both age groups. The researchers did find that Gen Z and Gen Y generally don't use names in their passwords, while Gen X and baby boomers are more likely to incorporate them into theirs. For Gen X, the most popular name used as a password was "Veronica," while boomers prefer "Maria."

In a press release, Karolis Arbaciauskas, head of product at NordPass said, "Generally speaking, despite all efforts in cybersecurity education and digital awareness over the years, data reveals only minor improvements in password hygiene. The world is slowly moving towards passkeys — a new passwordless authentication method based on biometric data — but in the interim, until passkeys become ubiquitous, strong passwords are very important. Especially since around 80% of data breaches are caused by compromised, weak, and reused passwords, and criminals will intensify their attacks as much as they can until they reach an obstacle they can't overcome."

Tips for choosing stronger passwords

For many, using a password generator to create passwords is one way around trying to think of something that will be harder to break. Password managers can also help with securing and remembering passwords across multiple devices or as they need to be changed.

In response to an inquiry from Digital Insurance, Gintautas Degutis, public relations manager for NordPass, offers these suggestions for creating passwords:

• Create strong random passwords or passphrases. Passwords should be at least 20 characters long and consist of a random combination of numbers, letters, and special characters.
• Never reuse passwords. The rule of thumb is that each account should have a unique password because if one account gets stolen, hackers can use the same credentials for other accounts.
• Review your passwords. Make sure to regularly check the health of your passwords. Identify any weak, old, or reused ones and upgrade them to new, complex passwords for a safer online experience.
• Use a password manager. It can help you generate, store, review, and safely manage all your passwords, ensuring they're well protected, difficult to crack, and easily available when you need them.
• Turn on multi-factor authentication (MFA). It adds an extra layer of security. MFA helps keep hackers out even if a password gets breached.

Using biometrics for authentication

A wide variety of companies are now enabling the use of biometrics instead of passwords to access data and accounts. In response to an inquiry from Digital Insurance on their use and effectiveness, Arbaciauskas shared more insights on why they are a practical alternative to generating individual passwords.

"Passkeys help protect against password theft and social engineering attacks by getting rid of passwords altogether," he explained. "Passkeys are digital credentials that leverage a device—like a phone, laptop, or tablet—to authenticate users' login attempts. Essentially, they are a new type of credential consisting of two separate cryptographic keys: a public key registered with the website or application, and a private key stored locally on your device. During login, these keys must be paired to grant access.

What makes passkeys great is that biometric authentication tools on your device, such as fingerprint scanners or Face ID, can initiate this pairing process, eliminating the need for passwords or other authentication factors."

In development for almost a decade, Arbaciauskas says, "Using passkeys can enhance convenience and significantly boost security by minimizing the risk of password theft. The logic is simple: if there's no password to type, there's no chance you can disclose it. This technology is currently considered the most promising alternative to passwords and is strongly supported by most tech giants, including Apple, Microsoft, and Google."

He adds, however, that adoption is slower than the FIDO Alliance would like. "That's why strong passwords are still so important. Fortunately, modern password managers have the ability to store both passkeys and passwords, which is crucial during this transition period."