Passwords. You just can’t avoid them. With all the advances in technology, this is the one thing that we can arguably say has gotten worse over time. There are few places you can go online where the exchange of information or use of an application or site will not require you to create a username and password. Is it any wonder that in the majority of people will – for the sake of simplicity and the ability to recall it easily – use and reuse the same password or variation of that password everywhere? I call this the “life password.” You’ve used it forever, and you use it everywhere. However, if one account gets compromised and there is a human (as opposed to a software robot) paying attention to that, then all your accounts are effectively compromised. A couple of years ago, the Heartbleed bug and it’s media attention made this apparent for most people. Sadly, few have done more than just come up with a new life password and they miss the point of keeping passwords unique. Worse yet, the continued use of weak passwords is the leading cause of security breaches.
For years, we have been telling clients that this is a bad practice, but we have also been telling them that secure passwords are a cryptic combination of letters, numbers and symbols. And while this still has some truth, the technology being used by criminals today can crack an 8 character password, regardless of its complexity, in a matter of hours. You’ve probably seen the result when one of your old associates sends you an email enticing you to click a strange looking link, or a fake story about being in a foreign land and suddenly needing money. By the time your contact becomes aware of the hack, the criminal has not only changed the account password, but the security questions and recovery email account used to reset it. Your associate is now almost certainly locked out of the account for good.
We now recommend that one comes up with a passphrase comprised of several words and to use a unique phrase for all your logins. Simply going to a 10 or 15 character password increases the time it takes to crack your password from hours to months or even years. While this may seem daunting, it’s easier than you think. Start by picking three words that mean something for you and using this as a “base” phrase that you’ll use to create a tough-to-crack password. When choosing words, we recommend going outside of your biosphere, like family and pet names, and choosing something from your favorite works of literature, music or art. Your base words could be something like Ringo Abbey Submarine. This way, you will have the convenience of the “life password” which will be easy to remember, but we’re going to mix it up a little. The next step is to step up the security by separating the words with numbers and/or symbols. It can be a date that means something to you or any symbol you like. We’ll use 1!65 in this example. Your next step is to create uniqueness. One really easy way to do this is to add an additional word that represents something about the service or site that you’re using. So using all these methods, your Facebook account password could be Ringo1Social!Abbey6Submarine5. You now have something easy to remember, super long, unique password. You simply change that one word that is unique to the site, and perhaps it’s position in the phrase, for your other logins. Google could be Ringo1Search!Abbey6Submarine5. In substitution for the word-based password, you could take any long phrase like “one ring to rule them all, one ring to find them!” and use the first letters of each word and some creative letter substitution to come up with “oR2RtA,oR2fT!”.
You can also group passwords together based on complexity. Some sites require you to “create an account” to use them, but you keep no information on the site and you’re not concerned about your digital identity if the account were to be compromised, so you can have a throw-way short life password for sites like these, if you like. You can have a base word phrase for sites that are not financial in nature, and then a completely different phrase for those that are. Use a third phrase for passwords you use at work.
Of course, you will have outliers – sites that limit you to 15 characters, or don’t like the use of that one symbol you’ve decided to use. With these, try to stick to the rule and do something like using two words instead of three, or substitute it with an abbreviation. These sites will likely be few enough that you should be able to recall them with ease.
Why not use a password manager? Although this is a graceful solution and can even give you the beauty of creating completely random passwords for your accounts, you risk a couple of things. First, if you use an online service like LastPass, Dashlane, or Roboform, that sync your passwords to the cloud, all of your stored passwords can now be unlocked with a single password from any computer with an internet connection. So, if you use a site/service like this, make sure that it employs two-factor authentication (where you have to type in a code sent to your phone as a text message in order to unlock your master key on the device you are using or an additional challenge question when you’re using a computer you haven’t previously authorized). Second, and this is a little personal for me, password managers will prevent you from remembering anything but your master passkey. I really don’t like not knowing my passwords. If I’m in a situation where I’m away from the computer that has the password software, and I need to log into my bank to make a transfer so I don’t get overdrawn, it can be pretty damaging if I can’t do it quickly.
There are instances, however, where Password Management or Identity and Access Management (IAM) can actually be a desired thing. Not too long ago, most company data was located on internal network servers that had managed access through a single sign on at the user’s computer screen. If a worker was terminated, one only had to change that one password to lock the user out. Now, with the wide adoption of the cloud servers and services – many of which can be accessed from any internet connection, not just at the office – these disparate systems require their own set of credentials. Managers are now faced with the daunting task of changing the passwords on possibly dozens of systems to lock out a terminated user. Forget to change just one, and the results could be devastating to corporate security. Fortunately, there are enterprise-class IAM systems that are affordable for even the small business. They allow managers to not only change passwords quickly, but to never have to divulge passwords to users in the first place, further securing the unauthorized use of cloud systems outside of the workplace. IAM systems can create a single sign-on environment with a two-factor authentication scheme that can make any business locked down like Fort Knox.
The “Toothbrush Rule.” Never share them. Change them frequently. With your phrase-based passwords, just change one of your three keywords and you will be successful at remembering both the old and new password!
For further reading, you can read the story from Wired magazine: How Apple and Amazon Security Flaws Led to My Epic Hacking which is a great lesson in how social engineering can lead an attacker to gain access to a lot of things. Fortunately, since this article, these two companies have tightened things up, but there are many others out there that will readily give up information to the wrong party.
By taking some simple steps, you can create your own secure and easily remembered passwords that will make your digital world a safer one.
If you have questions or would like to know more about IAM, please don’t hesitate to contact us.