Do you have these misconceptions about passwords?

Written by Jack Warner at Techwarn.

With the current trends in technology advancements and cybersecurity threats, it’s exciting to see how authentication technologies evolve to match up. Many tech experts are now exploring a new world beyond password authentication. Some of the emerging alternatives include multi-factor authentication (MFA), biometrics, and behavioral analysis, among others. Unfortunately, several headlines can cause you to believe a myriad of myths and misconceptions about passwords and the future of authentication. In general, most accounts are hacked due to weak, poorly managed, or guessable passwords. That’s according to a 2017 Data Breach Investigations Report. So, here are the common misconceptions about passwords that you’ll find floated on the internet:

#1: A Complex password is Better than a Lengthy Password

Your password must live up to various methods employed by hackers. Brute force attacks, for instance, are used to crack a myriad of passwords than dictionary attacks. It is easy to assume that cracking a password with complex characters like “$%^@33lkL??” is almost impossible, which is further from the truth. The truth is that a longer and memorable password can be more difficult to hack than a shorter complex password. All you need to do is avoid using words from your personal information like your surname, pet’s name, etc. Additionally, it pays to mix characters and dictionary words while avoiding any indication of which account the password belongs to. If you add the word “Twitter” to a password, any hacker who manages to access your account through brute-force attack may simply tell that your Facebook, eBay, and many more accounts will follow the same characters and replace the name “Twitter” with the names of other websites.

#2: Regular Password Changes Enhances Security

Today, almost every organization has laid down rules to govern regular password changes. Some will even impose limits on the age of a password. Sometimes, there is a minimum number of characters that you must change when renewing your password. This practice comes from the belief that passwords begin to leak as they age. As much as the approach is addressing one aspect of the problem, most users will still fail to adhere to other password requirements, which can give hackers some starting point to better guess your password. It’s far more effective to educate users about creating a unique password and why it’s important to avoid password sharing.

#3: Biometrics Can Solve All Security Problems

With advancements in technology, biometrics have gained a strong appeal to many users. Instead of trying to remember several long passwords, you simply place a finger on a tab and gain access. It’s a very secure method of authentication as long as you have a single-factor authentication. Hackers will find it hard to gain access to your accounts since your fingerprint or retina scan is just a set of 0s and 1s. Now, imagine someone getting hold of your fingerprints by whatever means. You’ll be basically doomed. They’ll gain access to every single account you’ve secured with your fingerprints, including your credit card and bank account. Again, it’s merely unimaginable to get a new set of fingerprints.

#4: Online Password Checkers are Accurate

Many websites today will tell you how strong your password is. When setting up a new account, you’ll get a rating ranging from very weak to very strong. The site may also give you suggestions to mix numbers, letters, and special characters to improve your password strength. However, the system may not know exactly what order presents the strongest password. Studies have indicated that many people use a capital letter at the start of a password and key in numbers at the final portion of the password. That means that mixing things up just because an online password checker tells you so might not give you the strongest password.

#5: You need One Complex Password for the Best Security

Most people believe that having a unique, complex password is all you need to secure your account. It is understandable since cybercriminals often use “exhaustive search” or “brute-force attack” to hack accounts. It means that the attacker will try guessing your password by trying out multiple combinations until they find the right one. Since the process is executed by a computer system, it takes just seconds to get your real password, especially when you use less than 8 characters. So, many cybersecurity experts recommend using passwords of at least 16 characters in length. Regardless of how complex your password is, it can never be totally immune to man-in-the-middle attacks, social engineering, or phishing.

#6: Two-factor Authentication is Foolproof

One of the smartest ways to secure your password is through two-factor authentication (2FA). However, you should not be misguided that it is 100% impervious. Some hackers can effectively use social engineering to get past your 2FA and access your account. So, it’s a great way to secure your account but beware of other methods of hacking accounts. Your account is actually safer with 2-factor authentication than without it, but be sure to carry out other password best practices for better protection. Having a 2FA on a weak password won’t get you far. 

Today, SMS verification has emerged as a convenient and secure way to send unique codes that very whether the user is who they say they are. The only downside to SMS is that it wasn’t designed with security in mind. Another alternative that works great is using a Google Authenticator to generate 2nd step verification codes on your phone before you’re allowed to sign in.

#7: Your Password is Secure with Large Companies

Many people often feel safe and comfortable with big, powerful brands. The assumption is that if a company is big, they must have the required expertise and experience working for them. So, it makes sense to assume that they have put in place additional measures to protect themselves and their clients from any attacks. However, don’t be too quick to buy into that misconception. Huge data leaks you’ll never imagine have been reported in some of the largest organizations. Dropbox in 2012, Adobe in 2013, LinkedIn in 2016, and MySpace in 2018 are just a few of the big company hacks that have occurred over the last couple of years.

Even with the emerging trends in user authentication, passwords still remain one of the most secure and effective methods. Just make sure that your password is long, unique, and incorporates a mix of letters (both upper case and lower case), numbers, and special characters. Additionally, add an extra layer of protection through two-factor authentication.

Jack Warner

About the Author

Jack Warneris an accomplished cybersecurity expert with years of experience under his belt at TechWarn, a trusted digital agency to world-class cybersecurity companies.  A passionate digital safety advocate himself, Warner frequently contributes to tech blogs and digital media sharing expert insights on cybersecurity and privacy tools.