World Password Day falls on May the 4th this year, or “May the 4th Be With You!” for those who recognize this date as the annual celebration of Star Wars Day. For the 2023 observance of the latter, fans around the world (including myself) will rejoice as Carrie Fisher (aka “Princess Leia”) is honored with a posthumous star on the Hollywood Walk of Fame. And while the light of this dedication cannot be diminished, the day of the calendar week these two annual holidays share for 2023 also illuminates a darker connection – one that warrants our attention as cybersecurity professionals and practitioners. So, what do Star Wars and passwords have in common to that end? If R2-D2 isn’t available, you can ask ChatGPT, which will tell you that hundreds of thousands of people continue to use Star Wars references as part of their passwords today (e.g., Yoda, Chewbacca, Han Solo, Darth Vader, Boba Fett, Ewok, and so on).
Year after year, studies like the annual Verizon Data Breach Investigations Report consistently rank the human element as one of the top factors driving breaches – with 82% of breaches involving the human element, according to the latest findings for this year alone. Whether using stolen credentials, phishing, misuse, or simply an error, people (and their passwords) continue to play a massive role in incidents and breaches alike.
But as much as many of us would like to go ahead and ditch passwords altogether, they aren’t going to become a thing of the past anytime in the foreseeable future. Even with companies like Microsoft, Apple, and Google announcing support for password-less authentication solutions, applications, services, and systems will take many more years to adopt and modernize the new protocols.
For this reason, on this World Password Day, we should all pause and think about how we can adopt better password hygiene, do away with outmoded password management practices, and leverage modern authentication technologies to keep our accounts and identity information safer online.
Security tips on this May the 4th World Password Day:
- First, it’s time to do away with easy, often reused passwords. (Seriously, we mean it this time.) Strong passwords (at least 16 random characters) or long passphrases are better and should be unique for every login.
- While that might sound onerous, it leads to my second recommendation: start using a password manager. Password managers make it much easier to auto-generate and securely vault complex passwords. Plus, with a password manager, there is only one password you’ll have to remember: the master password for your vault.
- Third, and perhaps most importantly, use multi-factor authentication (MFA) wherever possible. Right now, MFA is the best way to slow down an attacker. By combining multiple factors of authentication, like something you are (biometric fingerprint or facial scans), something you have (such as a hardware key or mobile phone), and something you know (like a password), even if an attacker gains access to a password with one technique such as email phishing, they’ll have to employ a second technique to be able to take over the account. No authentication system is entirely resistant to the tools and techniques a highly motivated attacker has. Still, MFA is a significant deterrent to a single, guessable, or compromised password.
Hopefully, someday–in our galaxy, in the not-too-distant future–we can look back in wonder (and maybe even a little confusion) at how we’d ever commemorated a World Password Day at all... Until then, May the Force and the 4th Be With You in 2023.