Cyber Tip: How to Build Strong Passwords
December 4, 2018
Passwords are critical gateways to your company’s databases and networks. But they’re also potential open doors for hackers. Up there with “password” and “qwerty” in the Hack Me Hall of Fame are passwords that are short common terms like team names, dog breeds, dates and other easy-to-guess options. They’re risky on two fronts, according to the Federal Trade Commission. First, an up-to-no-good insider will take one look at the screensaver of an employee's adorable sheepdog Ralphie and immediately try “sheepdog” and “Ralphie.” Second, common words are particularly susceptible to dictionary attacks, the tech equivalent of the million monkeys at a million typewriters that systematically try every conceivable word until they hit pay dirt. When creating passwords, remind your employees to skip those obvious choices. This is one time when good spelling can lead to bad results.
Longer passwords are better, of course, but they can be harder to remember. So how can businesses balance security and practicality? The FTC suggests considering the passphrase as an alternative. Hackers aren’t likely to guess a nonsense word like “iwtraranaped,” but the guy in the next office who plays in a Kiss cover band on weekends will instantly remember “I want to rock and roll all night and party every day.” Careful companies layer in mandatory numbers, symbols, or cases, making “iW2r+ran+ped!” an even stronger option. If your business requires employees to change passwords periodically, the Ace Frehley wannabe can simply move on to the next line of the song.
Here are some tips on building strong passwords.
A Strong Password Should:
- be at least 8 characters in length
- contain both upper and lowercase alphabetic characters (e.g. A-Z, a-z)
- have at least one numerical characters (e.g. 0-9)
- have at least one special character (e.g. ~ ! @ # $ % ^ & * ( ) - _ + =)
A Strong Password Should Not:
- spell a word or series of words that can be found in a standard dictionary
- spell a word with a number added to the beginning and/or the end
- be based on any personal information such as family name, pet, birthday, etc.
- be based on a keyboard pattern (e.g. qwerty) or duplicate characters (e.g. aabbccdd)
The following are vital suggestions for using passwords
- Do not share your password with anyone for any reason.
- Change your passwords periodically—at least every three months.
- Do not write your password down or store in an insecure manner. Never store a password in an unencrypted electronic file or use the "save my password" feature on websites for important passwords.
- Do not use automatic logon functionality on websites or devices.
- Avoid reusing a password.
- Avoid using the same password for multiple accounts or sites.
- If you have an in-home Internet router, change the default password. Each router has a basic default username and password combination. This makes it easier for hackers to break into your network.
Here are some building blocks you might consider:
Pick a base that you won’t forget. [BASE]
This is what, a few years ago, many people would consider a “password.” It should be a moderately long word, or perhaps an amalgamation of a couple of different words. By themselves, “Rocinante” or “ChickenFeet” would be terrible passwords, but we’re just getting started.
Use words that change with the times. [TIMEWORD]
Security experts suggest changing passwords every couple of months. What if you chose a different 10-letter word for each quarter of the year? For example, you could use “squeezable” from January to March, then switch to “unmuzzling” for April through June, leaving “skyjacking” and “complexify” for the third and fourth quarters.
Use some letters from the name of the website or service. [URLSNIPPET]
Though it’s never a good idea to use a website URL as your entire password, you can use some letters from a website as a way to make each of your passwords unique to each site. You might take the first five letters, the consonants and then the vowels, or something similar. Whatever strategy you choose, just make sure it will work both for long and short domains.
Throw in a random number that you won’t forget. [RANDNUM]
By itself, a number or date makes a lousy password. But a memorable number can be a great addition to a password algorithm. You might choose 1989 (the year the Berlin Wall fell) or 753BC (the year Rome was founded) or perhaps 1905 (the year Einstein published his special theory of relativity). Just make sure it’s a number you won’t forget.
Glue the elements together in a way you’ll remember.
Note that you don’t have to use all of the strategies above. But let’s assume that you wanted to. There are lots of ways we could put together the elements of your password:
- [BASE] + [TIMEWORD] + [URLSNIPPET] + [RANDNUM]
- [TIMEWORD] + [BASE] + [RANDNUM] + [URLSNIPPET]
- [RANDNUM] + [URLSNIPPET] + [BASE] + [TIMEWORD]
- [URLSNIPPET] + [BASE] + [TIMEWORD] + [RANDNUM]
Say you’re using “Snuffleupagus” as your base, “unmuzzling” as your time word and “1776” for your random number. Then suppose that your “URL snippet” strategy involves taking the whole domain of the URL and putting the first letter (capitalized) at the end. Assuming you’re using the first algorithm above and this password is for your PayPal account, you’d end up with the following:
SnuffleupagusunmuzzlingaypalP1776
Now you might be thinking, “Whoa—33 characters is a lot!” That’s true, but you only have to remember four things. By combining them you’re able to have a unique password for every single site you use.
Contact ALTA at 202-296-3671 or [email protected].