Passwords: The Keys To Security
Let's take on the subject of passwords (also known as keywords, keys, secret words, secret passes, ID phrases, passphrases, and others). They are the cornerstone of security for every person out there. Despite the myriad of sites on the net giving advice and warnings on the do's and don'ts of keyword crafting, statistics show that too many users are still utilizing weak passwords to guard their data. Although some of the advice on this article has been written many times before, we hope that some parts will provide you with some original output. Let's start with what you shouldn't do when choosing a password:
- It's been written many times, but I'll state it here once more: you should stay away from using easily recognizable or personal information about you, your family, friends, colleagues or your loving pet. You'd be surprised how easily info such as name, birthday, phone numbers, family members and other details can be accessed. Because this info is easily attainable, it makes your identification phrase very simple to guess.
- Do not use any one single word in a dictionary or a number written in letter form. Many password cracking software use dictionary based attacks to solve your passwords. One example is ophcrack*.
- There are multiple sites with lists of some the most common passphrases utilized today, like passwordrandom/most-popular-passwords*. Do a Google search, and try to find sites that have more than 25 to display. Don't use a commonly used keyword...don't be that guy/gal.
- Do not store your secret codes in your browser, computer, phone, tablet (any data storing device) or an application used for storing them, even if it comes embedded in your device. As convenient as it is, it is also very easy for the wrong person to take control over that file. Secret passes should be stored in hard copy or a separate, secure device, like an encrypted USB or hard drive. However, you should still take caution not to write these clearly. Write them in a way that only makes sense to you.
- Do not use the secret code twice for any site and avoid using your network SSID as your passphrase. An ill intended person can try to use your password against other sites you visit, to see if they can get access. And your SSID (Service Set Identifier) is visible by all devices in range.
- Do not leave default usernames and ID phrases on any device that comes with these predetermined. In fact, make sure to change these parameters as soon as you start utilizing the system. One example of a site with default device username and passwords is urtech*.
- Try not to use password managers, as convenient as it may be. Your passphrases stored in any hands other than your own can ultimately become a disaster.
Below is some (hopefully original!) advice for creating strong passwords that are easy to remember, yet difficult for others to crack. Keep in mind, that all methods below are known to crackers, but exposure can be avoided, by not having a distinguishable pattern (for example, if you like using book or movie titles, consider changing around the word order, but don't make a habit of using titles for every account, especially not if they happen to be your favorite ones):
- Many mishaps and lots of math have surprisingly proven that "ThisIsMyPasswordYouWhiners!" is actually harder to crack than "PT56%@w3". Reason being that longer passcodes are more difficult for software to solve than shorter complicated ones. Whatever it is, make sure it can only be ciphered by you (make it hard to guess).
- Favorable keyword format is a combination of letters (small and capital), numbers and symbols. But as complicated as this sounds, it is actually fairly easy to implement. Example: HeyWhatsUpDock? can be H3yWhat$UpD0ck? (E=3, S=$, O=0, A=4 etc)...just use your imagination, but be aware that word - letter substitution, is very common.
- You can replace part of the secret word with a numerical value, as displayed on a phone dial. Example: HeyWhatsUpDock? can change to HeyWhatsUp3625?
- You can take a phrase and switch the words around so that it makes no logical sense. Example: UpWhatsDockHey?
- You can use a combination of the above examples to create complex, and hard to crack, but easy to remember passcodes: Example: What$Hey3625Up?
- Recently, a lady was interviewed who I felt had a wonderful idea; she used short-term goals as her passwords. As soon as she reached one goal, she created a new one. She ended up saving enough money to take the cruise of her dreams. Your passphrase doesn't have to contain goals necessarily. It can be anything. You can get very creative with this method.
- You can prioritize the complexity of passwords depending on how important privacy is for each account. Example: Email and money exchange accounts, like Amazon, Paypal or the email account you use to communicate with business partners, should be more complicated than a forum membership key.
- It used to be advisable for users to change their password or pin every year, then it became six months and now it's advisable to do so every three months. For businesses or sites engaging in financial transactions, it is recommended to do this update once every month at this time.
- Try to avoid using sites that test the strength of your key phrases. They are simply unreliable, a statistical result of many tests. Consider using a password manager, but try to keep it outside of your system, on an encrypted USB, hard drive etc. Make sure to create the most complex passcode possible for that manager, if you choose to use one.
Biometrics are also on the rise as a method of identification, an added level of authentication and security, however they are still very expensive to implement and at this point, not fully approved as a method of recognition by a system, because statistics have shown that the cheaper (in comparison to retina) fingerprint readers, can produce many false positives. With biometrics, you can have an excellent added layer of security. But it really all depends on how much someone is willing to spend on such a system.
Really hope I didn't bore you with a popularly repeated subject. Much like anyone else in this industry writing about this, I am trying to help bring awareness to people and help contain weaknesses in security. Remember, the weakest link isn't the machine....it is the person behind it.
* The above sites are only mentioned as examples, NOT endorsed. That’s why only their name is there, not the full link. You have full responsibility when visiting any of these websites.