An official website of the United States government Here's how you know

Secure our world — CECOM recommends strong passwords and password managers

By CECOM CIO G6 CybersecurityOctober 9, 2024

(Photo Credit: U.S. Army graphic) VIEW ORIGINAL

ABERDEEN PROVING GROUND, Md. — During National Cybersecurity Awareness Month, the U.S. Army Communications-Electronics Command recognizes that the first step to “secure our world” is to identify the importance of using strong passwords. As this task gets more complex, with newer technologies available to attackers, we also want to recognize the importance of managing them with a password manager in your personal life.

Strong passwords are one of the most fundamental defenses against cyberattacks in the increasingly connected digital world. However, relying solely on strong passwords is no longer enough due to the complexity and number of accounts most individuals and organizations manage. The rise of password managers has significantly enhanced password security, making it easier to generate and maintain strong, unique passwords for every account.

Why strong passwords matter

A strong password is difficult for attackers to guess or crack, and its importance cannot be overstated in a time when 80% of data breaches are due to weak or stolen passwords, as reported by Verizon's 2023 Data Breach Investigations Report. A robust password strategy combined with a password manager helps mitigate several common threats:

  • Brute-force attacks: Hackers use automated tools to try every possible combination of characters until they guess the correct password. A strong password, long and complex, can make this process computationally expensive and time-consuming, reducing the chance of success.
  • Credential stuffing: Attackers take credentials leaked in one breach and use them to try and gain access to other accounts. This is why it’s critical to avoid reusing passwords across multiple platforms.
  • Phishing and social engineering: Weak passwords, often reused across sites, are easily exploited when attackers trick users into giving up their login credentials through phishing schemes. Strong, unique passwords for each website and personal account lower the risk of widespread damage when credentials are compromised.
  • Dictionary attacks: These attacks use precompiled lists of common passwords to guess credentials. Simple passwords like “123456” or "password" are incredibly vulnerable to this attack.
Password security statistics

Recent studies indicate that a significant portion of internet users still practice poor password practices despite the growing awareness of cybersecurity risks.

According to a 2023 survey by Bitwarden, an open-source password management company, 84% of users admit to reusing passwords across multiple sites. This practice compromises security and leaves the door open to credential stuffing.

In a 2019 study by Google, in partnership with Harris Poll, found that 52% of users use the same password for multiple accounts, 13% reuse the same password for all accounts and only 35% use a different password for all accounts. This correlates directly to the three in four Americans who say they get frustrated trying to keep track of passwords.  24% of Americans used some variation of common passwords, such as “Password,” or “12345,” while 59% of adults incorporated a name or birthday. And of the 27% of Americans who attempted to guess someone else’s password, 17% got it correct.

According to Ponemon Institute, an independent research organization, in their 2023 Cost of a Data Breach Report, 50% of all breaches are attributed to stolen or weak passwords. In most cases, these breaches could have been prevented by enforcing stronger password policies or using password managers.

According to the Google/Harris Poll, four out of ten Americans have had their personal information compromised, nearly half of compromised accounts lost money, 38% lost time, and yet less than half would change their passwords following a data breach. It is not so shocking then that 43% of Americans shared a password with someone in the past and 36% maintained passwords on a piece of paper.

A password with just eight characters, lowercase only, can be cracked in less than one second using modern cracking tools, according to the Hive Systems, a cybersecurity company. Adding uppercase letters, numbers, and symbols dramatically increases the cracking time—an 11-character complex password can take 400 years to crack with today's technology. However, if you previously suffered from a data breach and your password was identified, uses dictionary words, or includes reuse then the time it takes to crack your password next to instant.

What makes a password strong?

A strong password typically has the following characteristics:

  • Length: The longer the password, the better. Security experts recommend at least 12-16 characters for strong passwords.
  • Complexity: A mix of uppercase and lowercase letters, numbers, and symbols. Avoid using easily guessable information like birthdays, names, or dictionary words.
  • Unpredictability: Avoid common phrases or sequences, such as “password1,” “qwerty” or “abcdef.” Ideally, passwords should be randomized.
  • Uniqueness: Each account should have its own password to prevent a compromise on one platform from affecting others.
The role of password managers

Password managers have emerged as critical tools for individuals and organizations to manage strong, unique passwords without needing to remember them all. These tools generate, store, and autofill complex passwords, significantly reducing human error and improving security.

Password managers increase security

Generating strong passwords: Password managers create long, random, and highly secure passwords. They avoid patterns that could be exploited by brute-force or dictionary attacks.

Creating unique passwords for every account: Password managers' biggest advantage is their ability to store a different password for every account. This prevents credential reuse, a leading cause of breaches through credential stuffing.

Storing with encryption: Password managers store all passwords in an encrypted vault, accessible only with a master password. Even if an attacker gains access to the device without the master password, they can’t retrieve the stored credentials. Make sure the master password is very secure.

Providing convenience and usability: Password managers automatically fill in login credentials, making it easier for users to maintain security without the inconvenience of manually entering complex passwords.

Password manager adoption and effectiveness

Adoption rates: According to Pew Research Center, a nonpartisan, nonadvocacy think tank, only 32% of Americans in 2023 said they actively used password managers. This is an increase of 12% over their previous survey conducted in 2019. If this trend continues and as cybersecurity awareness increases, it is to be expected that individuals and companies will see greater adoption of password managers.

Reduction in breaches: Organizations using password managers have reported 60% fewer password-related breaches compared to those not using them, according to LastPass, a password management company, in their 2023 LastPass Global Password Security Report.

Password fatigue: The average user manages over 75 passwords across various accounts, making remembering unique, strong passwords for every login impossible. According to the LastPass 2023 report, a single government employee maintains 54 passwords on average, the least amount compared to other industries, but still shockingly high. Password managers can eliminate this fatigue by helping users avoid weak or reused passwords. Their data shows that an employee will reuse a password 13 times on average.

Time savings: According to the 2023 Bitwarden survey, using a password manager saves users an average of 50 hours per year by automating login processes and managing credentials securely. And according to the LastPass report, using a password manager reduced the time spent managing logins by up to 40% by eliminating the usage of password reset and recovery processes.

Recent events and the importance of strong passwords and password managers

Uber data breach: In this high-profile breach in 2022, a hacker used social engineering techniques to convince an Uber employee to share their login credentials. Once inside, the attacker used these compromised credentials to gain access to Uber’s internal systems, including critical tools like Slack and Amazon Web Services. The attacker was able to escalate privileges by accessing an administrative password that was not adequately secured. This incident highlights the importance of using strong, unique passwords and storing them securely to avoid lateral movement by attackers within compromised networks.

Social media account breaches

  • Facebook: Between 2021 and 2023, millions of Facebook users experienced account compromises due to reused passwords from breaches on other platforms. These credential stuffing attacks were used to hijack accounts using automated scripts. Facebook notified users to update stronger password policies, identifying weak passwords and reuse as significant threats. According to the Pew Research report, 39% of social media users say that their logins on social media are used on other websites.
  • Twitter: In July 2020, Twitter experienced one of the most publicized hacks in its history. According to a New York Times “Twitter hack investigation,” attackers gained access to internal administrative tools by exploiting weak internal passwords and social engineering techniques aimed at Twitter employees. High-profile accounts, like Elon Musk and Barack Obama, were compromised. The attackers tweeted from these accounts, promoting a Bitcoin scam. This breach shows the results of weak internal password policies and insufficient security controls on high-privilege accounts.
"Secure Our World" with strong passwords and password managers

As online accounts continue to rise, the risk of cyberattacks because of human error with weak or reused passwords increases. In 2024 and beyond, to stay safe online, adopting a proactive approach to password management is key to minimizing the risk of cyberattacks. Strong passwords and password managers can maintain our personal credentials' security, complexity, and uniqueness without sacrificing convenience and efficiency. By following these recommendations, you help to ensure your security, the Army, the nation, and our world.