As we’ve touched on a number of times, your users should already be required to use Multifactor Authentication to protect your corporate (and personal!) systems. One of those factors typically takes the form of a password. And as anyone that has ever logged in to any system or site since the dawn of the Internet can appreciate, maintaining password discipline is tough.
Back when we still worked in offices, you could lift up the calendar blotter on almost any desk and find that sacred and aged sticky pad with scrawled login credentials and crossed off passwords replaced by barely changed new ones. During these work from home times, that sticky pad has crawled its way up onto the desk lampshade, or clings sideways to the monitor screen.
Password requirements continue to increase in complexity. Reusing passwords across different accounts is a no-no. And what online citizen can remember a separate password for each of the daunting number online accounts they manage. We’ve spoken before about the benefits of a password manager as a good solution to these quandaries, and every corporate password standard should facilitate the end-user’s ability to use them.
Speaking of password opsec…
In what is probably a fitting security capstone to 2020, Nordpass has a grimly entertaining page on their Website, the Top 200 most common passwords of the year 2020. The list is filterable by subject, and captures the approximate time needed to crack each password. It is an enjoyable, if not confounding, read for any security practitioner. Some of the passwords are not surprising. (I’m looking at you, 123456.) Some are a bit baffling (Is Myspace still a thing?). And some are quietly uplifting (iloveyou at number 17!)
If you’re reading this and you recognize your password anywhere on this list, change it now! Or better yet, look into using a password manager that is right for you. At the end of the day, this isn’t just a list of comically common passwords. It is also the list of the first passwords that the bad guys will use to try to compromise your accounts.