{"id":22712,"date":"2024-05-02T05:02:22","date_gmt":"2024-05-02T09:02:22","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=22712"},"modified":"2024-05-03T15:55:06","modified_gmt":"2024-05-03T11:55:06","slug":"kaspersky-international-password-day-2024","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/kaspersky-international-password-day-2024\/22712\/","title":{"rendered":"How to create strong passwords and where to store them"},"content":{"rendered":"

The first Thursday in May is a special day. For over a decade, this day has been celebrated as World Password Day. For us at Kaspersky, it\u2019s an important occasion; we don\u2019t throw a party, but rather take the opportunity to once again remind you of one of the important things in life. That\u2019s right \u2014 passwords! So let\u2019s discuss how to create them, where to store them securely<\/a>, and why \u201cqwerty12345\u201d is a no-no.<\/p>\n

This conversation is crucial because many people still rely on weak and reused passwords that are too easy to guess and have repeatedly fallen into the hands of hackers<\/a>. Why this happens and how to address it \u2014 we explain in today\u2019s post.\n<\/p>\n

How do we discover leaks?<\/h2>\n

\nOur global threat intelligence network \u2014 Kaspersky Security Network (KSN)<\/a> \u2014 plays a key role. It gathers and analyzes cyberthreat data from around the world, with most of the data being provided by our customers anonymously and voluntarily. This de-personalized data is analyzed by our machine learning algorithms (AI) and human experts, enabling us to respond rapidly to emerging cyberthreats: the average time between a new threat appearing and KSN participants\u2019 learning about it is only 40 seconds!<\/p>\n

Thanks to Kaspersky Security Network, we know that in 2023 there were over 32 million attempted attacks on KSN users\u2019 passwords. In 2022, the number was even higher \u2014 a whopping 40 million. This translates to password hacking attempts happening more than once per second<\/strong> globally! Additionally, our late 2023 research<\/a> showed that attacks don\u2019t only affect home users \u2014 businesses aren\u2019t immune either. 76% of small business entrepreneurs surveyed have faced at least one cyber-incident in the past two years, with nearly a quarter of attacks (24%) caused by the use of weak, repeated, or old passwords.<\/p>\n\n

How we check your data<\/h2>\n

\nWe employ three methods to check if your data and passwords have been compromised:\n<\/p>\n

    \n
  1. \nBy email address<\/strong><\/a> for Kaspersky Standard<\/a>, Kaspersky Plus<\/a>, and Kaspersky Premium<\/a>.<\/strong>\u00a0It\u2019s simple: you enter into the application the email addresses you and your close ones use for online accounts. We tell you if any of your personal data, including passwords, has leaked to the internet or dark web. Rest assured, our application doesn\u2019t receive or store the compromised data itself but only provides information about its type. We\u2019ll alert you if a breach involves your password, home address, ID or passport data, bank card number, or any combination thereof. And we won\u2019t just alert you; we\u2019ll also provide sound advice from our cybersecurity experts on the appropriate actions to take, as different types of leaks require specific responses.<\/li>\n
  2. \nBy phone number for Kaspersky Premium<\/a>. <\/strong>This method operates similarly to the email check, but focuses on accounts linked not to email addresses but to phone numbers. These accounts often belong to more \u201cserious\u201d services like banks, government institutions, and major online marketplaces, where data leaks can have severe consequences. You just need to specify your phone number in the application for us to check if it has appeared in any data leaks. You can even check not only your own number but also the numbers of all your family and relatives. The best part is that you only need input the email addresses and phone numbers once; we\u2019ll continuously monitor the web for leaks from then on. If your data gets exposed, you\u2019ll receive an immediate alert with recommendations on what to do.<\/li>\n
  3. \nBy special algorithm in Kaspersky Password Manager<\/a><\/strong>. Unlike the two previous methods, which check all possible leak scenarios, our password manager<\/a> focuses on analyzing the passwords you store in it. Even offline, we can tell you which of your passwords are weak or reused, and which ones are sufficiently strong. Additionally, Kaspersky Password Manager<\/a> regularly checks all your passwords against databases of compromised credentials and notifies you of any matches.<\/li>\n<\/ol>\n

    \nYou can also check if a password has been compromised using our online Password Checker<\/a> service. Simply enter the password you want to check, and the system will tell you how many times it\u2019s appeared in leaked databases and whether it can be considered secure.<\/p>\n

    Oops! Bad news: the password \"qwerty12345\" has been leaked at least 285,000 times<\/a>

    Oops! Bad news: the password \u201cqwerty12345\u201d has been leaked at least 285,000 times<\/p><\/div>\n

    However, this method has one drawback compared to the previous three: it requires manual checks, while Kaspersky Password Manager<\/a>, Kaspersky Plus<\/a>, and Kaspersky Premium<\/a> automatically monitor for leaks in the background.<\/p>\n

    So does Kaspersky store the passwords of all its users? Absolutely not. None of the company\u2019s employees \u2014 a developer, analyst, editor, designer, or even Eugene Kaspersky himself \u2014 has access to your sensitive data. We\u2019ve already discussed our zero-knowledge policy in detail, here<\/a>. Below, we\u2019ll explain why we can\u2019t access your passwords stored in Kaspersky Password Manager<\/a>.\n<\/p>\n

    Why storing passwords in Kaspersky Password Manager is easier and safer<\/h2>\n

    \nMemorizing all your passwords or keeping them in, say, note-taking apps<\/a> is risky. The dedicated Kaspersky Password Manager<\/a>\u00a0is designed specifically for this purpose. It creates, stores and automatically enters strong and unique passwords on websites and applications, checks them for compromise, and generates two-factor authentication codes.<\/p>\n

    Here\u2019s a simplified explanation of how Kaspersky Password Manager<\/a>\u00a0works. All your passwords are stored in a vault encrypted using the AES-256<\/a> symmetric encryption algorithm. This encryption standard is considered strong enough by the U.S. NSA to be used to store government secrets. The encryption key is your main password, which you create during the initial setup of the application. Every time\u00a0you try to access the data vault, Kaspersky Password Manager<\/a>\u00a0prompts you for this password and uses it to decrypt the data.<\/p>\n

    You can keep not only passwords but other important data line bank card numbers, scanned documents, notes, etc. in the same vault. Thus, your confidential data is stored and synchronized among all your devices in \u201ctop secret\u201d encrypted form.<\/p>\n

    This level of security far surpasses storing passwords in browsers<\/a>. We advise against agreeing to the persistent suggestions of your browser to store your passwords for you \u2014 such passwords can be extracted from the browser in mere seconds<\/a>.<\/p>\n

    Access to the encrypted vault in Kaspersky Password Manager<\/a> is granted exclusively through your main password. We don\u2019t know this password and never store it anywhere. If you forget it, the vault\u2019s contents will be irretrievable, and you\u2019ll have to create a new vault. This approach ensures the highest level of security: even if a hacker somehow gains access to the encrypted vault of Kaspersky Password Manager<\/a>, they won\u2019t be able to uncover your passwords, bank card details, or any other stored documents.\n<\/p>\n

    How can we check your passwords for leaks if we don\u2019t know them in the first place?<\/h2>\n

    \nThis is where a Secure Hash Algorithm 1 (SHA-1)<\/a> comes in handy. It takes any data and uses it to create a hash value \u2013 a fixed-length binary string unique to the input data. For example, if your actual password is \u201cqwerty12345\u201d, its \u201cSHA-1 language\u201d representation would look like this: 4e17a448e043206801b95de317e07c839770c8b8.<\/p>\n

    Each unique password always produces the same hash, and if two hashes match, then the original passwords also match. KSN stores calculated hashes for all known hacked and leaked passwords. To check your password, we calculate its hash locally on your device, then send only the first half of this hash to Kaspersky servers, and find all hashes of compromised passwords with the same beginning. Those hashes are sent back to your device, where each of them is compared with the entire hash of your password. If an exact match is found, your password has been compromised.<\/p>\n

    Thus, we do not know your passwords \u2013 they never leave your device in an unencrypted form. It\u2019s theoretically possible to recover the original password from its hash, but\u2026 full hashes of your passwords are also never sent anywhere from your device! Only fragments of them are sent to KSN servers for comparison, and it\u2019s impossible to restore the original password from a part of its hash. Therefore, checking your passwords for leaks is completely safe.\n<\/p>\n

    How to come up with a main password<\/h2>\n

    \nWith Kaspersky Password Manager<\/a>, you only need to remember one \u2013 main \u2013 password. The application uses the main password to encrypt your data in the vault. Therefore, we recommend taking its creation seriously. Using \u201cqwerty12345\u201d as your main password is like putting all your valuables in a safe and then leaving the key in the lock. To make the process easier and ensure you remember the password, here\u2019s a tip on making it strong yet memorable:<\/p>\n

    Think of a favorite phrase, quote, or song lyric. Take one letter (not necessarily the first one!) or a combination of letters from each word in the phrase and insert special characters between them. Replace letters that resemble numbers or special characters with their respective symbols.<\/p>\n

    For example:<\/p>\n

    \u201cMay the Force be with you\u201d \u2014 M@y!T!4!B!W!U<\/p>\n

    A good password isn\u2019t necessarily one with many difficult-to-remember special characters, but one that is resistant to cracking<\/a>. Test your newly created password using our Password Checker<\/a> online service. If it confirms that your password is strong, you can use it as your Kaspersky Password Manager<\/a>\u00a0main password. And this is the only password you have to remember, since our password manager will generate, save, and automatically fill in all your other passwords on websites and apps.<\/p>\n

    If you prefer the old-school method of storing passwords in your head, use the combination you came up with as a base, and for each service and website, add a mnemonic \u201cextension\u201d to it to ensure all your passwords are unique. We\u2019ve a detailed guide on this technique<\/a>. And guess what? Many services, including Kaspersky Password Manager<\/a>, allow creating passwords using\u2026 emojis and emoticons<\/a>.\n<\/p>\n

    Summary<\/h2>\n