Users resist change.
Despite increasing requirements for more complex and secure passwords, "123456," "password," "letmein" and "trustno1" continue to take home the trophies for most-used passwords year after year.
Even with clever tactics, such as replacing an "o" with "0" or a "s" with a "$," security practices need a makeover for users to avoid having one of the billions of passwords that will be compromised this year.
Since password hygiene can always use improvement, take a leaf or two from the books of seven security pros:
1. Russell Schrader, executive director at the National Cyber Security Alliance:
Schrader has been in the privacy and cybersecurity space for more than two decades and sticks to a password manager, VPN and passphrases to make the process easier and more secure.
Passphrases, such as "Mary had a little lamb," can make passwords easy to remember across accounts and add length, though Schrader said he does not actually use nursery rhymes as a pass phrase.
In most cases hackers are going for the easily compromised targets, so "you don't have to outrun the bear, you just have to outrun the other guy," he said. Putting loads of sensitive information on Facebook, such as a favorite ice cream flavor, school mascot or first car, can all make you an easy target.
2. Michelle Dennedy, chief privacy officer at Cisco:
"I would love to tell you that I am always well behaved," Dennedy said. But mantras can help with password management: Keep your passwords "exotic, keep them to yourself — do not share — and change them from time to time."
Requiring too frequent of changes adds complexity, which stops people from introducing more secure passwords.
"There are ways of doing memorable, good password management," Dennedy said. "It's not the end all be all, but it's what we go right now, so have good ones."
3. Chris Babel, chief executive officer at TrustArc:
When it comes to the internet, you can't trust anything, and Babel makes sure he uses a different password for every single site, though there is a method to the madness.
Babel uses a password management tool, but for times when its not working or not available on a device he uses a personal nomenclature that combines a "crazy, complex thing" standard across sites with something unique to each site based on a mental algorithm.
"I'm a password nerd," said Babel. "I was a security guy for 11 years."
4. Tammy Moskites, managing director at Accenture Security:
Former CISO of The Home Depot and Time Warner Cable, Moskites has had an extensive career in security, starting out in the actuarial trenches and moving up through the security organization.
For her passwords, Moskites uses a "weird algorithm," which uses multiple languages. "Each word is a different language, even though half the time I don't what it says and I have to go to Google to figure out what those words are," Moskites said.
But the days of the passwords are going to change, said Moskites. "Eventually down the road it will go into a persona, where [a system] will learn a little bit more about me specifically and my habits and be able to identity me that way."
5. Andrew Jones, lead solutions engineer at Shape Security:
To maintain consistency across platforms, Jones relies on a password manager set to 15 character, alphanumeric passwords with plenty of special characters. The password manager can autogenerate a new one for each site, though problems can arise for users of such tools if they don't have mobile app integration.
But no matter the amount of security that is injected, even the most savvy professionals can still be vulnerable.
"If you're doing something on the fly really quick, even for me it's really hard to not fall back to a standard password just as a short-term fix to log in to the create the account," said Jones. Avoiding doing this altogether is the best case scenario, but if not, at least remembering to go back and change the password to something more secure is vital.
6. Adam Bacchus, director of program operations at HackerOne:
Bacchus admits that for some sites of low importance without significant PII, shorter, easier passwords can be fine. The problem arises, however, when users carry these practices to other platforms.
Email is the "keys to the kingdom" — the platform used to reset passwords for every other account, so Bacchus makes sure to keep his locked down with a long password and two-factor authentication.
7. Jenny Menna, SVP of Security Intelligence, Engagement and Awareness at U.S. Bank:
After switching from a career in government to the private sector, Menna has advised customers and clients to not use the same passwords across multiple systems in case one is compromised, which is considered a best practice in cybersecurity.
While the industry is hoping to move beyond passwords — "because they're inherently a pain in the butt and insecure" — users simply have to employ complex, unique passwords.
Password hygiene is all about "doing your best because so many people aren't," Menna said. Malicious actors are "going to go after the easiest target because there are so many easy targets, whether it's a company or individuals, unless you are particularly juicy."