Security Tip of the Week
In recent weeks, the web has been under immense scrutiny after several large companies experienced security-related events and username and passwords were compromised. One of the only benefits of this happening is the resulting conversation related to review password strength policies and poor password practices. Below, you can find a few good tips to help protect your accounts while giving you some guidance on choosing a good password.
1. Size Does Matter
The Problem: There are 26 letters in the English alphabet. That is a total of 52 if you count uppercase and lowercase. Add the 10 digits and you’re at 62. Some simple math could show that your 4 character password would be revealed in 14,776,336 iterations. That password would be cracked in 1.7 days at 100 guesses/second (if it’s not already in a wordlist). Adding just one character in length to 6 increases that to 916,132,832 total combinations.
Suggestion: Give your password some Hi-T and extend it. The longer, the better.
2. Potty Mouth
The Problem: Adding obseneties like
sh!t to your password may seem like a good idea, but it’s more outplayed than Lady Gaga. These phrases commonly litter dictionaries and wordlists.
Suggestion: Put soap in your mouth and clean up your passwords. Creating a password on curse words will not make you cool or secure.
3. Love/Hate Relationship
The Problem: Some folks add parts of the url they are visiting into the password. Good idea? If you want to remember your password, maybe, but remember this helps attackers remember your password too. Wan’t to take a guess at what the number 1 password was on LinkedIn after their accounts got breached? If you guessed
link, you’re absolutely correct!
Suggestion: Don’t make this newby mistake. Social engineering is one of the most common ways passwords are guessed and accounts are hijacked.
4. Separation of Church and Site
The Problem: Many web users make references to religion to help remember passwords and also reinforce their loyalty to their face. Unfortunately, this is a horrible idea. Hackers, crackers and attackers use this assumption to target keywords like
god and more.
Suggestion: Make like R.E.M. and lose your religion from your password.
5. One Ah-ah-ah, Two ah-ah-ah…
The Problem: The most common password on the web next to
123456. You might think from rule 1, that it’s 6 digits long, so it would take a bit longer to crack, right? WRONG! Using incrementing letters, numbers and even that fancy trick of going up one row and down another while holding shift on your keyboard is less than a good idea, and already existing in wordlist’s and hashing dictionaries known as rainbow tables.
Suggestion: If you are experiencing creative block coming up with a password, try thinking of a pattern, like playing a song on the piano. Example, Chopsticks could look like
6. Hello, My name is: _________
The Problem: If you don’t follow this rule, we need to stick a big
FAIL stamp on your forehead. Never, EVER, use a name, birthday, social security number, address or any other personally identifiable information of yourself or a loved one. In most username and password compromises, personal information like addresses, emails, first name, last name, social security numbers and credit card information are also compromised. This is a HUGE problem if your password is based on one of those items.
Suggestion: Be creative. What was the name of your 2nd grade lunch aid? Use that instead. I doubt anyone else will know.
7. Honey, have you seen my password?
The Problem: Sharing passwords with partners and spouses may be cute, and sometimes necessary. You should take all available routes to limit this as much as possible as the more times your password is used, the more attack-area it is exposed to. There will be much more nagging if your credit card details are stolen than if you don’t share a password.
Suggestion: Use a password manager to help organize your life. Dash-lane, 1Password and LastPass are all highly recommended by multiple users.
8. What’s The Password?
The Problem: Passwords, passcodes and passphrases have been used interchangeably for thousands of years, but some companies fight to make sure their employee knows which one it is. Problem is, you let the hacker know too. A password implies the use of alphabet characters, passcode implies use of integers or digits, and passphrase implies a discontiguous grouping of words in sentence structure. Your company should not be focusing on disclosing which type of credentials are required as they should be educating their employees on the application/utility and the importance of security.
Suggestion: Don’t give up a level of obfuscation when designing an application for the sake of simplifying things for end-users. They will be much more upset if their information is compromised than needing to remember the format of a password.
So, What is the ultimate password?
Passwords CAN be secure. It’s just that we as a society have gotten into the habit of making things easy to remember in our hectic lives, we sacrifice security for accessibility. Don’t make this mistake. Ask yourself some random questions that are pertinent to YOUR life, no one else’s like below:
Do you have blue eyes?
Who makes your favorite pair of pants?
How many millimeters of tread are left on your tires?
What was your hourly or salary rate at the age of 19?
How long is your commute to school or work minus the age you had your first kiss?
I was surprised at how many other people were using the same password as me when I scanned a few dictionaries from other compromises like Netflix, Spotify, Facebook and Adobe. Mine was completely random, created by a password generator and was 10 characters long, had alpha-numeric digits, 3 special characters and a mixture of upper and lower cases. This worried me, a lot.
Suggestion: Mix things up. Take things that are relevant in life, and obfuscate it. That is, start with a base password and instead of writing the number
one. Instead of using the letter
o(oh), use a zero,
0. Switch out lower case L and i or 1 since many fonts display them the same. Here are a few examples:
yes green whiskey two ninety
After secure password:
Why is this password good?
That password is 19 characters long, with 95 possibilities for each character. That would be a total of 3.77353602535308e37 combinations to successfully guess. If you had a machine capable of 100,000 guesses a second, it would take 11,957,614,000,000,000,000,000,000 years to crack.
Be adventurous, toss an Emoji in there!
Just remember, don’t use the same password on more than 1 site.