More than 80% of people online use the same password for multiple sites. While this makes account logins easier for customers, it also makes it easier for fraudsters to compromise their accounts.
Intel Security hopes to change that with its annual World Password Day, observed the first Thursday of May each year.
Started in 2013, World Password Day intends to raise awareness about the pivotal role strong passwords play in protecting our digital identities. Given that computer users globally will need to manage 300 billion passwords by 2020 — that’s 40 passwords for every person on the planet — it’s no wonder that so many people opt for simple passwords that are easy to remember.
E-commerce merchants can play an important role in helping consumers strengthen their passwords and protect themselves from identity theft — not just one day a year, but all year long. So the next time your customers think about using their pet’s name or their birthday as their password on your site, encourage them to implement these four password security strategies.
When apps and websites require a second layer of identity verification to login, accounts become substantially harder to hack.
Merchants can facilitate this by layering multiple identity proofing requirements for users, such as:
- Something the user owns (e.g., a chip card or a mobile device)
- Something the user has (e.g., a fingerprint or a retinal scan)
- Something the user knows (e.g., the answer to a challenge question or a single-use password delivered as a text)
Adding this additional layer of verification does require a little extra work for the user to access their account, but the increased confidence and protection far outweighs the potential friction.
Merchants who offer multifactor authentication for their apps and websites should encourage users to take advantage of this free extra layer of security.
Despite constant reminders to create hard-to-guess passwords, many users fail to heed that advice. For five years running, the No. 1 most commonly used password was “123456,” used by an estimated 3% of people. In the No. 2 spot — also for five years — “password.”
In fact, most of the 100 most common passwords consist of short numerical strings (22222), keyboard patterns (QWERTY), dictionary words (dog, house) and sports or pop culture references (“donald” is No. 23 and “starwars” is No. 60).
Because a password is often the only barrier between a customer and a fraudster, merchants can require customers to periodically update their passwords to include:
- At least 12 characters
- A combination of upper- and lowercase letters, numbers, and symbols
- No obvious substitutions, like replacing the letter o with the number 0 (“passw0rd” comes in No. 31 of the top 100 worst passwords of the year)
- A string of seemingly random words instead of using just a single word
On the other hand, if every website password needs to be unique and hard to decipher, customers will be understandably worried they won’t be able to remember each one. Merchants might want to suggest customers use a secure password manager, such as Dashlane, LastPass or RoboForm, to help.
Don’t Share Passwords
It may seem obvious to have to remind customers to not share their passwords, but with the increase of phishing and pharming attacks, customers are increasingly being tricked into sharing sensitive data. Customers often receive legitimate-looking emails or texts from a fraudster posting as a company needing the customers’ passwords or other personal data, and as many as 30% of these phishing emails get opened, with 12% of users clicking links.
If a customer does divulge passwords or account information, the fraudster can launch an account takeover attack and gain access to checking and savings, brokerage, and loyalty accounts. Some attacks even give fraudsters the ability to hack mobile phones and computers.
Use Passwords on More Than Just Websites
With people storing more and more of their lives on their e-commerce devices, losing an unlocked phone or a tablet can be more than just inconvenient — it can be devastating. Finding an unlocked device with full access to bank accounts, automatically reloaded Starbucks gift cards, and payment platforms like Apple Pay or PayPal is like Santa’s arrival on Christmas Day for fraudsters.
To avoid losing it all when they lose their phones, encourage customers to secure their devices with the latest technology. Many electronics now offer the option to unlock devices with fingerprints or face recognition — increasing the likelihood that only the rightful owner can access sensitive information.
Even if customers have taken all these steps toward securing their accounts, they need to secure their devices, too. A fraudster looking over a customer’s shoulder when they type in a user name and password or a hacker recording a user’s keystrokes can leave accounts just as vulnerable. To avoid leaving devices at risk, customers should install updates to antivirus and antimalware software and install any security updates and software patches that are issued.