I have been on something of a password campaign for the last few years, preaching to my clients the virtues of implementing strong password policies.
Passwords are users’ front line of defense against cyber criminals, which is why using unique, long, and complex passwords is a key cyber security best practice.
And yet, when discussing this topic, I often feel like a dentist trying to convince her patients to floss. Everyone knows they should floss, but no one wants to do it. I get a similar response to password policies: everyone accepts that they are a good idea, but no one wants to implement them.
Why? Maybe it’s because having to continually type complicated passwords is frustrating or remembering several unique passwords is too difficult. Whatever the reason, there are two bad password habits that leave both business networks and individual users vulnerable to cyber threats.
Bad Habit #1: Weak Passwords
Using a weak password is like leaving your front door unlocked. Sure, it looks like there’s a barrier to your home, but anyone can walk in with little to no effort.
It’s the same with weak and/or commonly used passwords. Hackers know the most commonly used passwords and use that knowledge to run scripts that attempt to break into your seemingly protected accounts.
Bad Habit #2: Reusing Passwords
When a company has a security breach that involves usernames and passwords, the information often ends up in databases available on the dark web. Cyber criminals pull our private information from these sites to hack into our accounts and scam us.
This is a major security risk that is compounded by habit number two, reusing passwords. If your password is leaked in one security breach, a hacker will assume that password is being used for other accounts. And if they’re right, your other accounts are now at risk, too.
Luckily, these two bad password habits are easily corrected. The first step is to understand how to create a secure, easy-to-remember password.
How to Create a Secure Password
First, stop thinking of a password as a word, and instead, think of it as a “passphrase.” Passphrases are a form of cyber security magic. They are long, complex, memorable, and—most importantly—effective.
Follow these two steps to create your own passphrase:
Step 1: Pick a topic that is meaningful to you. It may be a sport, movie, book, or song. When you’ve picked your topic, create a short phrase about your topic.
For example, I love rock climbing. A memorable event in the rock-climbing world occurred in January of 2015, when Tommy Caldwell with Kevin Jorgedon completed the first free climb of the Dawn Wall of El Capitan.
So, my passphrase could be: Tommy climbed the Dawn Wall!
This phrase is a good starting point because 1) it will be easy for me to remember, 2) it’s long (28 characters), and 3) it’s already fairly complex with the capital and lowercase letters and a special character (!).
I’m going to remove the spaces because most online accounts don’t allow them.
Now we have: TommyclimbedtheDawnWall!
Step 2: Increase Complexity. Many sites require at least one number. So, let’s increase the complexity by substituting a “0” for the “o” and a “3” for the “e’s.”
Which gives us: T0mmyclimb3dth3DawnWall!
Now we have a long, complex password that is easy to remember because it is personal to me.
But don’t forget: this is only one password. If I use this password for all 30+ of my online accounts, one of those sites will eventually be hacked, and my password will be compromised, and hackers will be able to use my email address and password to access my other accounts.
That’s why we need to improve our passphrase security by finding a way to make the passphrase unique for each website.
Two Strategies to Improve Your Password Security
One strategy to improve your password security is to create an algorithm to assign each site a logical, but unique password.
An example of an algorithm would be to take the third and fourth character from the name of the online account or website and add it to your password.For example, if you are creating a password for your Facebook account, the third and fourth character would be “CE.”
Accordingly, the password for your Facebook account would be: T0mmyclimb3dth3DawnWallCE!
Your Amazon and online banking accounts would each have a unique passphrase as well:
Amazon = T0mmyclimb3dth3DawnWallAZ!
Chase Bank = T0mmyclimb3dth3DawnWallAS!
On the surface, this system seems foolproof because your password is unique for each account, but this system has drawbacks. If a hacker obtains more than one of your passwords, they can decipher your algorithm. Also, let’s face it, 26 characters is a lot to type, and your error rate (and subsequent frustration!) will increase. Finally, many websites limit the length of passwords.
A better solution? Use a password manager, which is a program that securely stores your passwords and user IDs. There are several password managers out there, each with their own strengths and weaknesses.
How do password managers work?
Password managers usually include a tool to create random, complex passwords. Using browser extensions, the password manager fills in your usernames and passwords for you when you navigate to your online accounts. These tools allow you to use long, complex passwords and still access your accounts quickly and easily.
If you opt for a password manager, use the strategy outlined above to create a strong passphrase to log in to the program. From there, you are out of the password game, as you let the application create and remember completely random, complex passwords for you.
That’s right: when you use one of these tools, not only do you not have to type in your passwords, but you don’t have to even know your passwords. We recommend this solution because it will keep you secure while removing the burden of remembering dozens of complex passwords.
Don’t leave the door to your digital assets unlocked with a weak or recycled password. Increase your password security by thinking “passphrase” not “password.” Keep your passphrases unique rather than reusing them on multiple sites, and protect your sanity by using a password manager.
At Prosource, we believe your organization’s security is only as strong as its weakest link, so for National Cyber Security Awareness Month, we're taking a more personal approach to awareness. Every week throughout October, we'll send an email with cyber security tips and insights to help you stay protected against cyber threats. Not yet a subscriber? Sign up here.