The U.S. Army Communications-Electronics Command (CECOM) highlights that while strong passwords are a foundational defense against cyber threats, they are no longer sufficient on their own because of the increasing complexity and number of digital accounts individuals manage.
CECOM underscores that weak or reused passwords are a major vulnerability, contributing to a significant portion of data breaches.
For instance, Verizon's 2023 Data Breach Investigations Report attributes 80 percent of breaches to weak or stolen passwords. To combat this, the use of password managers is recommended, which help users generate and store complex, unique passwords for each account, thereby reducing the risk of attacks such as brute-force, credential stuffing, phishing, and dictionary attacks.
Studies also show that many users still engage in risky password behaviors.
A 2023 Bitwarden survey found that 84 percent of users reuse passwords across multiple sites, and a 2019 Google-Harris Poll study revealed that more than half of users use the same password for multiple accounts. These habits significantly increase vulnerability to cyberattacks.
Ultimately, CECOM encourages adopting a robust password strategy that includes using long, complex, and unique passwords for every account, supported by a reliable password manager. This approach enhances both security and convenience in managing digital credentials.
Source: https://www.army.mil/article/280417/secure_our_world_cecom_recommends_strong_passwords_and_password_managers
Commentary
Password and other credential security lapses continue to undermine data security efforts.
Reusing a password across multiple accounts significantly increases the risk of a security breach because it allows attackers to exploit a single compromised credential to access multiple services. This tactic, known as credential stuffing, involves cybercriminals using stolen username-password pairs from one breach to attempt logins on other platforms. If the same password is used elsewhere, attackers can gain unauthorized access to email, banking, social media, and work accounts, often without triggering security alerts.
A real-world example of this occurred with the Yahoo data breach in 2016, one of the largest in history. In this incident, more than three billion user accounts were compromised. Many of the stolen credentials were later used in credential stuffing attacks on other services, leading to further breaches. Because users had reused their Yahoo passwords on other platforms, attackers were able to access unrelated accounts, amplifying the damage far beyond the original breach.
So, what are some essentials for password best practices hygiene? [rt]
- Strong passwords:
- 12-16 characters long
- A mix of uppercase and lowercase letters, numbers, and special characters in no sequence/pattern
- Are unique to every account
- Are complex and random
- Are never reused
- Are never recycled in whole or part
- Are never shared
- Are never disclosed in communications
- Are never left unsecure
- Are never a manufacturer/developer default password in whole or part
- Are never used after notice of a security breach/warning
- Are never used again after voluntary disclosure for repairs/troubleshooting
- Are backed up by multi-factor authentication
- Are created by a trusted and vetted password manager
- Strong, unique passwords should not consist of, or contain:
- A single word (e.g., "password")
- Dictionary words (e.g., "aardvark")
- Default passwords from manufacturer/developer
- Common words/phrases/slang (e.g., "bro", "bet")
- Personal identifiers (e.g., social security numbers, addresses)
- Online identifiers (e.g., gamertags, aliases, nicknames)
- Family names
- Pet names
- Birthdays
- Common special character substitution (e.g., "p@ssword")
- Simple patterns/sequences/repetition (e.g., "qwerty" or "12345")
- Predictable patterns/sequences (e.g., "abcd1234")
- Incremental patterns/sequences (e.g., work1 to work2)
