Why You Can Trust CNET World Password Day: Why We're Still Using Crackable Tech
If you think you've chosen great passwords, think again.
What's happening
May 4 is World Password Day. The event was created by Intel in 2013 to encourage people to better secure their online accounts.
Why it matters
Weak passwords put personal information at risk. Even worse, people use the same bad passwords for multiple accounts, which means if one get compromised others could also fall.
What's next
Check out CNET's tips for how to create better passwords and lock down your logins.
There's a lot to hate about passwords. Good ones can be hard to remember. They're often a pain to reset. And even when we do everything right, they can still be cracked by cybercriminals.
The use of passwords dates back to antiquity, but cybersecurity experts have pushed for their elimination. In the days of ancient Rome, that might have been an impossible task, but with the help of modern technology, they say, humanity has the potential to move beyond passwords and into a world of easier, more secure authentication methods.
So why hasn't this happened?
"Because change is hard," said Andrew Shikiar, executive director of the FIDO Alliance, a tech industry group focused on developing and promoting authentication standards that reduce the world's reliance on passwords.
So what better occasion to push for the elimination of the password than World Password Day, which just happens to be Thursday. It's a totally made-up celebration created by Intel back in 2013. Traditionally, it's intended as a reminder to take a close look at your logins and make sure they check the required security boxes.
Speaking during an online panel discussion organized by the authentication management company Okta, Shikiar said that passwords endure because, on the surface, they seem simple and everyone online today knows how to use them.
Moreover, there just hasn't been a scalable alternative to them, he said.
But that's changing. Both businesses and consumers now usually have the option of logging into their devices with biometric indicators, physical keys, authentication apps and now passkeys.
Passkeys, which replace passwords with cryptographic keys, are built on protocols and standards created by the FIDO Alliance.
Apple rolled out passkeys as part of iOS 16 last year. On Wednesday, Google announced that it's begun rolling out support for passkeys across Google accounts on all major platforms.
Proponents say passkeys offer a better user experience than passwords, while eliminating the possibilities of weak, reused and compromised passwords, along with phishing attacks.
The technology is still new and needs to be baked into apps and websites, so it's not the answer to all of your password woes, at least not yet. In the meantime, password managers can help by remembering long strings of characters for you, while keeping them safe.
And a little effort can go a long way toward making your passwords great ones and keeping your data safe. Here are some tips for doing just that.
Tips for good passwords
Longer is better. At least 16 characters is best. At that point, you don't have to worry so much about password-cracking software. Random sequences of characters are best, but passphrases, such as a combination of three unrelated words, will be OK in most circumstances. Throwing in a special character, such as symbols or punctuation marks, in the middle won't hurt.
Remember: If you use a passphrase, make sure the words only have meaning to you and don't signify anything important. "Red Sox Rule" might be a great way to show your loyalty to the team, but it isn't a terribly secure passphrase. Don't use your birthday or another significant personal date because cybercriminals can find them easily. Song titles and famous quotations are also bad ideas. Avoid cliche substitutions, such as using @ for "at" or "a," and $ for the "s."
Resist the temptation to recycle. Even the best passwords can be stolen and compromised. So limit the fallout by making sure you set unique passwords for all of your accounts. Sure, that could be a lot to handle since we're recommending 16-character or longer pass phrases.
As mentioned before, if you need help, sign up for a password manager. Both free and paid options are available. Many internet browsers can also help you out with this task, though they don't always work across your various devices.
Change can be good. Most experts now say that you don't actually need to change your passwords on a regular basis. But they all agree that you should change them right away at any hint of compromise.
Keep your details off social media. The more personal details you post, the more cybercriminals know about you. Those little, seemingly unimportant, bits of data could be used to crack your passwords.
While you're at it, stay away from quizzes you see posted on Facebook that ask a series of seemingly harmless questions in order to tell you what city you should live in or what your ideal vacation spot would be. Sure, they're fun, but they might be collecting personal information that could be used to crack your passwords down the road.
Always, always use 2FA. If your password does get compromised, a second layer of protection will go a long way toward protecting you. Two-factor authentication, also called multi-factor authentication, is being used by a growing number of sites and requires someone trying to access your account to also enter a second form of ID.
It could be a code generated by an app, a biometric like a fingerprint or facial scan, or a physical security key that you insert into your device. Yes, that will slow you down as you access the account. But it's worth it to keep your account safe. If 2FA is available, use it.
One word of warning: If you can, avoid 2FA systems that text a code to your smartphone. SIM swapping, a scam in which a cybercriminal takes over your phone number, is on the rise. If a criminal takes over your phone number, they'll get your 2FA text message, too.