World Password Day: The Password Present  

On World Password Day, we have the opportunity to reflect on how we use passwords to protect our business and personal data. LastPass is marking the occasion a little differently this year by calling out World Password(less) Day in recognition of our passwordless future.  Following up on our last post, which chronicled the rich history of passwords, we are now fast-forwarding to the present day. Here's a look at the current state of password security, today's password security threats, how our bad password behaviors make it harder to secure our digital lives. We’ll also look ahead to the next chapter of password history: the fast-approaching passwordless era.

The current state of password security 

Passwords may seem to have remained largely unchanged since the 1960s, but that's not exactly the case. As cyber attacks have become more sophisticated and serious in recent decades, password security has gradually evolved behind the scenes to ramp up its defenses in response.  For starters, many of us now use password managers to securely store and manage all of our passwords instead of trying to manually keep track of them, and layer multi-factor authentication on top! Plus, the best password managers use encryption to scramble your passwords so that, even if a hacker were to somehow come across those passwords, they would be unreadable and impossible to use. If you use a password manager, then you already know it's critical to keep your vault as secure as possible. This is why LastPass utilizes the Password-Based Key Derivation Function (PBKDF2) to turn your master password (a passphrase, for example) into the encryption key (a series of unrecognizable numbers and letters) to your vault. To grant access to your vault, LastPass performs 600,000 or more rounds of this hashing (or encryption algorithm) function, along with salting (inserting random numbers and iterations) to create the encryption key, before a single additional round of PBKDF2. By choosing to increase the number of rounds or password iterations used in this process, you or your IT colleagues can make it significantly harder for attackers to successfully execute a brute-force attack on your LastPass account. This way, even as computers become more advanced, you can still steadily increase your password security to ward off growing cyber threats.

Today's password security threats 

Cyber criminals have plenty of ways to compromise our passwords, break into our online accounts, and wreak havoc from there. Here are just a few of the techniques they use:

• Brute force attacks aren't particularly sophisticated, but they still work – especially if you haven't set strong or complex passwords on all of your accounts. Malicious actors now use automated tools to try and guess or crack a target's password, for example by running through various words in the dictionary until they hit pay dirt.
• Social engineering attacks, such as phishing exploits, prey on human emotions in an attempt to get you to voluntarily give up personal or business data (for example, by entering login credentials on a legitimate-seeming website).
• Credential stuffing attacks leverage stolen credentials that the cyber criminals have already pilfered themselves or purchased on the dark web. Once they have one of your passwords, these bad actors may try to see if it works for any of your other accounts. If you re-use the same password for multiple online accounts, you may be especially at risk for this form of attack. This is why you should never reuse your passwords, but especially a master password to your vault.
• Keylogger attacks happen when a cyber attacker installs spyware on your computer or mobile device and then records every keystroke you enter, scooping up your passwords so they can break into one or more of your accounts. This is one reason why it's best to avoid using an open or public Wi-Fi network.
• Shoulder surfing attacks can take place when someone in the real world is in a position to see your device's screen as you log into one of your online accounts. If a savvy enough fraudster can make out the password as you're typing it, they may be able to login as you without your knowledge.

Bad password behaviors

Nobody wants to help hackers achieve their goals, but we can easily end up involuntarily doing so. Unfortunately, bad password behaviors make us far more vulnerable to password attacks than we otherwise would be.  According to the 2022 Psychology of Passwords Report, 89% of respondents acknowledged that using the same password or a variation of it is a risk, but only 12% of them use different passwords for different accounts and 62% always or mostly use the same password or a variation. Of those who received some form of formal or informal cybersecurity education, only 31% stopped re-using passwords.  In these cases, a password can end up being a double-edged sword. That password can make us feel as though our online account is protected, but it can also serve as the keys to the kingdom if we're not careful. If a cyber attacker guesses or steals one of our passwords and we happen to be using that same password for our other accounts, then breaking into those accounts is a fairly simple matter.  This is why we need to look beyond passwords to safeguard our vital business and personal data. As we advance toward the passwordless future, we will eventually become less reliant on passwords altogether.

Our passwordless future is quickly approaching

Passwords may have seemed relatively static over the years, gaining complexity and length without significantly changing beyond their fundamental design. In the meantime, password attacks have grown more sophisticated. Our bad password habits have cracked the door open a bit further, making it harder for passwords to single-handedly protect our data. The good news is that people are stepping up their password security game by making greater use of MFA and password managers. In doing so, they are doing their part to prepare themselves and their companies for the next chapter of password history: the passwordless era. The even better news? Password technology is available now. As we mark Word Password(less) Day, now is the perfect time to prepare for the passwordless future with LastPass.  Ready to get started? Try passwordless for free using the LastPass authenticator app.  Want to learn more about how you can achieve stronger security through passwordless? Join us for a webinar on May 4. Register your spot now.