Password advice from the wicked

Published on 25th September 2016

Internet ransomers, hackers, and scammers all have password advice for you… keep your passwords simple, don’t change them and use the same ones for every site. Unfortunately many of us follow this terrible advice. Not having a good password scheme can lead to significant financial, privacy, social and career problems.

Instead of following what password advice the bad guys might tell us let’s follow what they actually do. The wicked know better than most that a complex password can keep their accounts secure and can protect them from other bad guys and law enforcement.

“Okay, I get it,” you say. I’ll pick a tough password – MyCatIsMuffy7 – no one will guess that one. It has lower case, capital and a number. Plus it is pretty long. You feel really good about your password. You think it is so good in fact that you use for your Facebook login, your bank and for one of your favorite online games.

How could your password be compromised? There are several paths. I may be one of your six hundred “friends” on your Facebook page. I learn a lot about you including your cat’s name and your favorite number. It would not be a stretch to be able to guess your “great” password.

Or even more likely I hack into the game site that you use and download the password file for the hundreds of thousands of customers. Even worse the site did not hash your password so I can see it and it is associated with your email address. I now try all of the common social media sites, banks and other sites with the email address and password combination. Yikes! I’ve just compromised your accounts!

What make a good password?

Good passwords are long.

Good passwords are unpredictable.

Good passwords have a mix of letters, numbers and special characters.

The best way to construct a password is to generate a long sentence and take characters from each word. Remember to intermix numbers and special characters and don’t forget to capitalize some. This process might seem like it is painful. Let me be perfectly clear – it is. But it is less painful than having your account compromised.

Passwords should be 12 characters or longer. Capitalize a character other than the first one. Put a special character and number in the middle of the password. These are things that make it much more difficult for bad guys to guess.

Make sure never to share passwords between important accounts. Your email password and banking passwords should be different. You do not want the compromise of one to compromise the other. Never, ever, ever share passwords between unimportant systems and important systems. Do you care if your Crate & Barrel registry, babysitting app or cooking website logins are compromised? No? Then definitely don’t share passwords between these and something you do care about like your retirement account. When one of these is compromised you don’t have to worry about your financial future.

There is no way I can remember all of those complex passwords

If only there were a technology that could help me remember things… I vaguely remember humans having access to such a technology for the past two thousand years… Oh yeah, Paper! Write it down. That’s right. Do what everyone tells you not to do. Write down your passwords. Don’t put your passwords on a sticky next to your monitor or under your keyboard but in your wallet, purse or locked cabinet. To decrease the chance of compromise don’t write down the complete password – for instance always add the same two characters to the end of your passwords. If you do think you are at risk for someone physically stealing your passwords then don’t follow the strategy of writing it down.

Instead you could use a password manager to manage your passwords. The password manager encrypts your passwords and can only be decrypted by your master password. There are several risks here including someone obtaining or guessing your master password, the password manager might have some security flaws or the computer/device that you access the password manager from could be compromised. Make sure to generate a super secure master password and change it regularly.

What else can I do to improve password security?

Don’t share your password with anyone.

If you have the opportunity, turn on two-factor authentication. Two-factor authentication is a mechanism to authenticate with something you know like a password and something you have like your phone (or in many cases a text message on your phone). Many sites now have two-factor authentication as an option such as Google, Yahoo, Microsoft, Facebook and LinkedIn.

We know it is tough to remember all of the password rules. That’s why at Fractional CISO we have created this handy Infographic to help you remember.

Good luck creating great passwords!