Password security: The staggering gap in a highly technological society

In 2022, we explored password security as the standard method of authentication. As technology evolves, passwords still play a crucial role in our lives; however, despite rapid digital innovation, password security continues to lag behind the technology it’s meant to protect. We have updated the statistics and commentary throughout this blog to provide current insights into the ever-changing landscape of password security.

Hacking statistics remain a daily concern for companies and individuals, with experts indicating that cybercrime will continue to grow. The latest figures show that global cybercrime costs are expected to rise to almost $14 trillion by 2028, a significant increase from the predicted cost of more than $11 trillion in 2026. The cost of cybercrime increases each year, as does the threat to our services and systems. Therefore, cybersecurity has never been more important, and strong password security should be a fundamental pillar of security strategies for companies and individuals.

Password length vs complexity

Security breaches often make headlines, yet strong, unique passwords remain uncommon. In fast-paced routines, people tend to choose easy-to-remember codes or reuse complex passwords, which repeatedly weakens their security. Research done by the Cybernews Investigation team found that only 2.2 million passwords of the over 15 million they analyzed were unique. The investigation also shows how people create passwords, with a tendency to choose easy-to-recall passwords based on favourite sports teams, cities, foods, and even curse words. Many people fall short of the requirement to create unique and therefore secure passwords.

The increasing tendency of remote work since the start of the Covid-19 pandemic has opened inroads for cyberattacks that have placed remote workers among their top victims and increased security breaches across the world. At OpenAthens, we updated our password policy in 2022 and implemented enhancements, enforcing stronger passwords to meet our requirements around protecting client and user accounts even further.

There is a tendency to believe that increasing password complexity results in strong and difficult-to-crack passwords. We are used to seeing a combination of numbers, symbols, and upper and lowercase passwords that are as difficult to remember as short and weak. It is necessary to differentiate between complexity and strength, as making a password more complex alone does not necessarily mean it is stronger. Recent guidance highlights this issue with NIST password guidelines stating that complexity rules are no longer encouraged; password length matters more.

Choosing the right password

Studies show that 95% of cybersecurity issues can be traced to human errors. Therefore, education and awareness can exponentially improve account safety and reduce risks by teaching basic knowledge, such as how to identify phishing scams, how data is tracked, and how to use strong passwords.

Over the years, password requirements have evolved, and it has become clear that it is possible to hack any system, regardless of the authentication method. While there is an ongoing debate among experts on what matters the most, whether length or complexity, when it comes to creating a strong password, what is certain is that there are different ways to ensure the chosen password is difficult to crack. So, how do you choose the best password?

A combination of both length and two-factor authentication seems the best way to secure your account:

• Length: The shorter the password is, the easier it is to break. Short passwords are more predictable, with eight-character options no longer being a safe enough option. Passwords of at least 8 to 12 characters are the general recommendation, and passphrases made of at least 15 characters that include spaces or dashes are on the rise.
• Two-factor authentication: A major addition to password security was the use of passwordless authentication, using one-time codes, push notifications, biometrics, and security keys. This extra step aims to enhance security, acting as an extra barrier as well as the traditional password.

Go the extra mile

Passwords are the familiar method of authentication, although with time each one could be cracked. This is why adding an extra layer of security through Two-Factor-Authentication (2FA) is the crucial next step. This includes an extra key, card, tablet, or phone number to confirm the individual's identity after introducing the username and password or via encryption, which ensures two of the biggest barriers against hackers.

Another option is to reduce the number of accounts you have online by using a Single Sign-On (SSO) system such as OpenAthens. This allows librarians and providers to facilitate secure access to products and services without the need to create additional sets of log-in credentials for each system and allows users to sign in and access information without unnecessary barriers.

Password managers or vaults like LastPass and Dashlane are also great ways to generate and store encrypted passwords online. Password managers not only help to remember all the new, strong and lengthy passwords without falling into the common mistakes of writing the password down or simply forgetting it, but they also help promote creating unique passwords for each site or application. The software includes plugins for browsers and is designed to help the user experience while storing passwords for all sorts of accounts.

There is a hacker attack every 39 seconds (as of 2023), which means that while you were reading this article, there were at least four cyberattacks. The key measure to fight for our data safety lies in our hands. Or even better, in a good and responsible password policy.