As our business and personal lives cause us to do more online, the number of passwords we must use and remember on a regular basis increases. We all know we should be keeping our passwords unique, private, and secure, but it can be a chore to remember them all. Instead of writing your password on a Post-It and sticking it to the bottom of your keyboard or hiding that piece of paper in your desk, let’s talk about some easy and secure options.
The three most common ways passwords are compromised are brute force, social engineering, or phishing. Brute Force is the process of testing all possible iterations of a password (ie. aaaaaaaa, aaaaaaab, aaaaaaac, etc.). Therefore, the longer the password is, the harder it is to crack.
Social engineering is a process of harvesting and matching pieces of information about you, in order to reverse-engineer likely passwords. Information gathered can be a written password, research into your business and business contacts, information about interests and family available through various social media. Once gathered, this information can be used as hints to easily guess your passwords.
Phishing is a social engineering scam that revolves around psychological manipulation, fooling you into revealing your password or other confidential information to a seemingly trustworthy source, when in reality, it’s going straight to the scammer. No matter how secure your password is, if you hand it over to someone, you may as well have no password at all.
Easy passwords often contain one or more of these components: meaningful names (pet, child, spouse), significant dates (someone’s birth date or anniversary), current year, company name, or even your own name.
What makes a strong password? According to most websites, a strong password has:
8 or more characters
Contains a variety of uppercase and lowercase letters, numbers, and symbols
Does not contain common words (those found in a dictionary).
Although this is a good starting place, the most common password pattern is a six-letter word followed by a number and a symbol (i.e. Secret1!). Unfortunately, this is such a common practice that brute force hackers almost always start there first – quite successfully.
So, what should you do? You could use a gibberish password or a random password generator like this one (https://passwordsgenerator.net/)! Although this is secure, it may be difficult to remember a long, cryptic string of random characters. That’s where password managers come in. LastPass, Dashlane, KeePass and the like give you a secure location to store all the password you create. They can also help you by automatically generating a unique and secure password when creating a new online account, and by doing audits of your current passwords to see if you have similar passwords on multiple sites. The password autofill option can also help prevent fishing attacks, as it will not inject your password if you were redirected to a similar looking fraudulent website. If you use a password manager, I heavily recommend using two-factor authentication.
If you’re reluctant to trust your passwords and personal information to a corporation (I don’t blame you, thanks Equifax), you should consider making a complex password that you can remember, and adding a modifier for each website where you have a login.
One suggestion is to choose 4 random words, remove the spaces, and make a story or image in your mind. Let’s say you start with HorseOrangeBalloonRefrigerator. This is a 30-character password (for reference, even 12 random characters would take roughly 200 years to brute force), and you can remember a horse sitting on a refrigerator holding an orange balloon quite easily. Now add a modifier: let’s say you are making an account on Amazon.com; try adding an A between the first and second words, and a Z between the third and fourth words, giving you a password of HorseAOrangeBalloonZRefrigerator.
Using one or more of these techniques will give you passwords that are seriously secure, which will help protect you from the most common forms of attack.