Recently, Splash Data released a list of the 25 worst passwords for 2013. It contained all the usual suspects for “so easy to hack as to be utterly useless.” If your password is on this list, please keep reading:
Many people continue to live a fantasy life of protection by relying on 1111, 1234, or “password” to secure their most valuable information with a password that a 5th grader could crack in less than 10 seconds. Using a simple password in today’s hacker-filled world is analogous to leaving your debit card on the sidewalk with the pin number taped to the back. You wouldn’t leave your debit card on the sidewalk for those few people who walk by to potentially drain your bank account. So, why do you continue to use simple passwords with literally millions of people on the internet who could access your bank account, your email, tax records, social security number, or other personally identifiable information by just guessing your password?
You know the excuses. In fact, you’re likely whispering them out loud or reciting them in your head as you simultaneously say “I know, I know, I need to do something about this.” The excuses are numerous, the risk is very real, but the solution is quick, rather simple and relatively painless.
Here’s an easy way to create a complex password that is unique to every website or application and dramatically increases your personal security by exponentially increasing the difficulty of hacking your information.
STEP 1: Craft a base phrase (or cipher)
Come up with a unique but somewhat silly phrase which holds meaning to you but is not known to anyone else. The phrase should be at least 8 characters long – LONGER is better. For the purpose of illustration, let’s say your base phrase/cipher is “I Love Purple Dogs.” This cipher becomes the basis for creating a complex password. While “I Love Purple Dogs” is a much better password than 1234, we can increase its complexity and effectiveness by following a few simple steps. Again, we start with our cipher and remove the spaces:
ILovePurpleDogs
STEP 2: Random capitalization
Instead of capitalizing the first letter in each word, capitalize the last letter in each word in your cipher (or the second letter, or third letter…you get it). Here is what our password looks like now:
ilovEpurplEdogS
STEP 3: Insert Numbers and Special Characters
While not all websites accept special characters in their password fields, nearly all accept numbers. Regardless, when you have the opportunity, you should always use numbers and special characters. For this example, we will assume the website application accepts both. A good suggestion is to use a special character in the beginning, a couple at the end of your cipher and then throw a number in somewhere. Our password evolves to the following:
#ilovE2purplEdogS!!
STEP 4: Make it website or application specific
Many people use the same password for every website and application they log into. Hackers love this! If they crack your password for one site, they now have it for all your sites. An easy way to craft a unique password for each and every website is to start with your cipher and insert the website initials somewhere within that phrase. For example, you can insert the website initials at the beginning of the phrase. Alternately, as we did in this example, we will insert the website initials just before the word “dogs.” So if you’re signing into various common websites such as the examples below, your password would look like the following:
Amazon: #ilovE2purplEAdogS!!
Yahoo: #ilovE2purplEYdogS!!
Facebook: #ilovE2purplEFBdogS!!
Twitter: #ilovE2purplETdogS!!
Integrated Computer Solutions: #ilovE2purplEICSdogS!!
STEP 5: Change it up
Change your cipher or password phrase every 30 to 90 days. The truth is, while most personally hate this, we all recognize that people write down their passwords, store them in notes on their phone, share them with IT support people, and even share them with friends or colleagues. Subsequently, your personal security decreases over time. Therefore, it’s important to set a reminder in your calendar or ideally a policy on your system that passwords be changed every 30 to 90 days.
Final notes:
Do it for me
If all of this is just too much to take in or remember, there are some phenomenal password management programs on the market today. Some are free and some charge for their services. Here are just a few of the highest rated applications:
LastPass 3.0: https://lastpass.com/
Dashlane 2.0: https://www.dashlane.com/
Roboform Everywhere 7: http://www.roboform.com/
Keeper 5.0: https://keepersecurity.com/
Norton Identify Safe: https://identitysafe.norton.com/
PasswordBox: https://www.passwordbox.com/
Two Factor Authentication
An increasing number of websites are implementing two-factor authentication. Yahoo, Google, Twitter, etc. have all implemented this technology and business process to increase security. As the name denotes, it involves two factors – a password and a secondary device (cell phone, email, variable passcode, etc.) that is unique to the user. We will blog about this in the future, but here is a tutorial on it that you might find helpful. http://en.wikipedia.org/wiki/Two-step_verification
Look really smart to your friends
Share these steps. Security is everyone’s business. If someone in your company gets hacked, there is a strong likelihood that your personal information may be also accessible to that hacker over time. The same is true for home PCs, cell phones and tablets. Therefore, share this information with your team members, friends, and family members and encourage them to make their passwords complex and unique so we can increase the security for all.