Did you know about World Password Day? It takes place every year on the first Thursday in May and is meant to encourage people to consider their password practices and adopt some new – and healthy – digital security habits.
We asked the IDPro community to share their thoughts on password safety and they didn’t hold back!
“Use a different password for each site and use a password manager to generate and keep track of them all.” – Greg Smith
“When using passwords: self-service password reset is a must have. If MFA is not available, the ‘password forgotten’ email reset is a low-budget version of MFA.” – Andre Koot (@meneer)
“Don’t generate your own passwords. People are bad at being random. Have a computer generate it and either memorize it or use a password manager. If you can – especially if you need to memorize it – use a wordlist generator to create a very long but human-memorable password. Pro tip: if a site lets you have a long password with spaces but still has archaic complexity requirements, create a long wordlist password then append ‘Aa1!’ to the end of it to hit all the character classes.” – Justin Richer (@justin__richer)
“If you must use passwords, one trick is to use the hash of your password instead, salted with the domain. That way, it’s reproducible but still reasonably ‘random.’ It’s reproducible given your unique knowledge of the passphrase and uniquely salted for the particular website. This way you don’t have to store it in a password manager. If there is a character limit, use either the largest portion that the website will allow or some standard number of characters, or follow an algorithm. For example: google.com is 10 characters, so use the first 10…
$ openssl passwd -6 -salt ‘google.com’ ‘correct battery horse staple’ | cut -d’$’ -f4 | cut -c 1-10
Be sure to consider command line history if you adopt this method, though.” – Shannon Roddy
“When possible, don’t use passwords at all. With the imminent introduction of FIDO’s multi-device credentials, it will be easier than ever to leave those relics behind. This time, it’s really happening!” – Vittorio Bertocci (@vibronet)
“If it was up to me, I would introduce a minute of silence on World Password Day for all the forgotten passwords as part of breaches – followed by a demonstration of hate for passwords organized by the MFA (Movement For ‘better’ Authentication). I would finish the day by unsubscribing to a service provider I no longer use to reduce the storage needs for my password manager…and celebrate Cinco de Mayo!” – Elie Azerad (@ElieAzerad)
IDPro is a professional organization for practitioners of Identity and Access Management
Submit an article to the #IDPro #BodyofKnowledge and help to expand the wealth of knowledge available for #DigitalIdentity professionals. Work alongside other #IAM industry pros to build your article and receive guidance from the IDPro team. Learn more: https://bit.ly/3LATsTE
Selective disclosure, ZKP, oh my!
Join @dfett42 & @vibronet as they explore privacy preserving measures and SD-JWT, the latest spec Daniel is coauthoring, #IdentityUnlocked is brought to you by @auth0, in partnership w @openid & @idpro_org. https://bit.ly/3SJF92E
Become a member of #IDPro today #DigitalIdentity organization and receive great benefits including access to our #IAM #Slack channel, #identity event discounts, and more! Learn about the benefits today: https://bit.ly/37ms8cQ
October is National #Cybersecurity Awareness Month, encouraging people and organizations to do their part in protecting cyberspace, stressing personal accountability, and taking proactive steps to enhance cybersecurity. Learn how to participate here: https://bit.ly/3wDF0Fy
.@IdentityWeek_ID America is a conference and exhibition bringing together the brightest minds in the #DigitalIdentity sector to promote innovation, new thinking, and more effective #identity solutions. Register for the event: https://bit.ly/3ouTmDO