When my son was three years old he liked to play a game with me that he called “What’s the password?” This game consisted of him standing in a doorway with his arms stretched out to block access. He then asked me for the password and if I guessed correctly, I was allowed to pass. I am, of course, expected to want to go through this same door dozens of times in a row, each time being forced to answer the challenge. Strangely, there was only one correct response that he would accept to open the gate. That word was “Password.”
At first I found this funny and played along. However, it went on for a couple of months and quite honestly, I started to get concerned. What if my son ends up to be one of those kinds of people–you know, the people who use “qwerty,” “asdfgh,” and “password” as their password. What if instead of creating strong passwords, his password is simply his name backwards, or “admin” for the admin account, or his name for his online account?
Over the past several years I have run across these passwords, or others just as bad, at customer sites. Sometimes I discovered them by taking a stab in the dark, even without a password-cracking tool. And now it seemed my son was on this same destructive path. You can tell your kids not to smoke or do drugs. But how do you tell your three-year-old son he’s on the verge of becoming a password degenerate?
Fortunately my son was young and I had many years left to twist his mind into the paranoid realm I embrace with warm affection. For others, it might be too late. Passwords have always been the strong and weak point of security for both business and personal accounts. Strong passwords generally indicate stronger security, while weak passwords lead to compromise. So why do passwords fail to protect so many users and organizations? To answer that, you have to look at a much bigger picture.
Poorly Designed Passwords
When a password is created without the help of an automated tool, most people choose easy-to-remember passwords. Sometimes it’s the first letter of several words. Or, people use anniversary or birth dates. Although these can be used to create a strong password, more times than not they are done wrong. A person’s name with a date at the end, like Jim1970, will be found by most password crackers. January1970 is equally bad. Sometimes people get creative and change letters such as ‘O’ with the number zero, or letter ‘I’ with the number 1. Although minor changes add a little extra security, they are not recommended and still considered weak.
Strong passwords require a minimum of eight characters, with both upper and lower case letters, at least one or more numbers and, most importantly, at least one unique character such as ! or @. If you follow these simple guidelines, you can be certain your password will be secure. However, just because it’s easy to create a unique strong password doesn’t mean it will be easy to remember. Even worse, if you have several online accounts such as Facebook, Twitter, or Pinterest, each account should have its own unique password. Now you’re stuck trying to remember all these crazy characters for all these different passwords assigned to all these different accounts. Like everyone else, you come up with one good password and use that for every account. Although it’s easier, it puts all your accounts at risk. Let’s say that a hacker discovers the password for one of your accounts. Since most people use the same password for all accounts, the hacker takes the login credentials stolen from the first account and tries them at every other online account he can think of. If your password is the same everywhere, each one of your accounts will be hacked in short order.
Here’s a trick to create a strong unique password for each online account without having to be a Mensa member to remember them. First, come up with your base password, consisting of seven characters that are both upper and lower case, numbers, and at least one unique character. Ours will be: Jw75T!z. Next go to one of your online accounts—let’s say www.facebook.com. To make your password unique and still be able to remember it, take a portion of the website domain name and add it to your password. For example, take the first three letters of facebook.com and add them to the end of your password. So your password becomes “Jw75T!zfac”. We could also put the domain letters at the beginning of the password: “fac Jw75T!z”. To make it even more unique, reverse those first three letters so “fac” would become “caf” and add those to the end of our password: “Jw75T!zcaf”. Of course you don’t have to use my specific example of the first three characters; you might choose to use the last two or maybe the first and last letter of the domain. Whatever you come up with, use that same criteria for each online account.
Security doesn’t have to be difficult. By following this simple tip, you can ensure that your base password is strong, and you’ll have unique passwords for each online account. Just as important, you can rest easy knowing you’re one of the few who escaped the label of password degenerate.
Jim Stickley is the CTO and Vice President of Strategy & Solutions for TraceSecurity Inc. and is a cyber-security expert with more than 20 years in the industry.. He has been featured in magazines and newspapers including Time magazine, Business Week, Fortune magazine, New York Times and hundreds of other publications. He has also been showcased on numerous television shows including NBC’s Nightly News, CNN’s NewsNight, and is a frequent guest on NBC’s Today Show. He is the author of The Truth about Identity Theft and a co-author of Beautiful Security.