Did you know about World Password Day? It takes place every year on the first Thursday in May and is meant to encourage people to consider their password practices and adopt some new – and healthy – digital security habits.
We asked the IDPro community to share their thoughts on password safety and they didn’t hold back!
“Use a different password for each site and use a password manager to generate and keep track of them all.” – Greg Smith
“When using passwords: self-service password reset is a must have. If MFA is not available, the ‘password forgotten’ email reset is a low-budget version of MFA.” – Andre Koot (@meneer)
“Don’t generate your own passwords. People are bad at being random. Have a computer generate it and either memorize it or use a password manager. If you can – especially if you need to memorize it – use a wordlist generator to create a very long but human-memorable password. Pro tip: if a site lets you have a long password with spaces but still has archaic complexity requirements, create a long wordlist password then append ‘Aa1!’ to the end of it to hit all the character classes.” – Justin Richer (@justin__richer)
“If you must use passwords, one trick is to use the hash of your password instead, salted with the domain. That way, it’s reproducible but still reasonably ‘random.’ It’s reproducible given your unique knowledge of the passphrase and uniquely salted for the particular website. This way you don’t have to store it in a password manager. If there is a character limit, use either the largest portion that the website will allow or some standard number of characters, or follow an algorithm. For example: google.com is 10 characters, so use the first 10…
$ openssl passwd -6 -salt ‘google.com’ ‘correct battery horse staple’ | cut -d’$’ -f4 | cut -c 1-10
Be sure to consider command line history if you adopt this method, though.” – Shannon Roddy
“When possible, don’t use passwords at all. With the imminent introduction of FIDO’s multi-device credentials, it will be easier than ever to leave those relics behind. This time, it’s really happening!” – Vittorio Bertocci (@vibronet)
“If it was up to me, I would introduce a minute of silence on World Password Day for all the forgotten passwords as part of breaches – followed by a demonstration of hate for passwords organized by the MFA (Movement For ‘better’ Authentication). I would finish the day by unsubscribing to a service provider I no longer use to reduce the storage needs for my password manager…and celebrate Cinco de Mayo!” – Elie Azerad (@ElieAzerad)