Your passwords are the gateway to everything nowadays: online banking, bills, work computer, personal computer, the kid’s school portal, and your collection of recipes on some food site somewhere on the web. According to password company Last Pass, the average employee has 191 passwords to keep straight in their head. I’m not sure about you, but I can’t keep that many things straight and would be locked out of many applications if I had to remember all of them. I’m sure this is also the case for many others, and because of this, we often see people use convenient password techniques over secure ones.
Ignorance and Carelessness
I use a password generator/manager myself to keep my apps from getting hacked by my own inherent laziness. I know that isn’t the case for everyone out there, and I wanted to share some examples of how bad it gets and what kind of harm that can create. Here are some funny pictures that make the case for better password management.
This famous picture from the Hawaii Emergency management control center made headlines after a recent false-missile-alert snafu. While the false alert was not a result of the password being written on a sticky note and placed on the screen of the computer it is used on, it is a great example of really lazy behavior that creates an embarrassed, red face for management. Your passwords are mission-critical to everything you do at work. Especially if you interact with systems inside your organization, or if your computer interacts with other internal computers, this kind of carelessness makes an entire business vulnerable.
I don’t have the backstory on this particular image but look closely at what is going on here. The worker is in the middle of a TV interview! A TV INTERVIEW with her passwords on full display on the whiteboard in the back! Not only is she making it easy for people on-site to hack her, but she is giving her passwords away for any viewer of this TV show to log in and go crazy. This is an easy way for your company to suffer loss. It may lead to a significant outlay of money in actual damages, reputational damages, monitoring fees incurred. And it’s something that could have easily been addressed by good password hygiene.
Password Strength (Or Lack Thereof)
Doing something like displaying passwords on the news is maybe the most extreme example of bad password hygiene. But while many of us are likely to at least try to hide our passwords, we’re not always doing it effectively. Most people use a theme of passwords, simply creating variations of the same password concept. Using this method of passwords, if attackers get a hold of your one “base” password, it becomes increasingly easy to figure out the password variations. This would allow these attackers to quickly gain access to a variety of internal applications and use them to rob your or your company blind.
Complexity and variation are key. The more complex your password is the better. I know complexity is both the solution and the problem simultaneously. Remember, black-hat hackers are looking for ease of access. If you make it difficult to get into your computer or access your applications, they will move on to easier targets.
Passwords Done Right
Let’s talk about how to do passwords right. The last thing anyone wants is for their forgetfulness or laziness to get to be a vehicle for hackers to get at something important inside your organization or into applications that you have permissions to use that could cause tremendous amounts of damage. It’s important that we all learn how to manage, store, and use a password generator/manager effectively to ensure this doesn’t happen.
Migrating from traditional passwords to long passphrases can make an immediate impact on your security. Passphrases are effective in a few different ways. Not only are they long, complex, and difficult for hackers to crack, but they are also easy to remember.
Here are some examples of various passwords, their complexities, and how long it would take to crack the password. The best practice for password creation is to create long passwords, with a variation of letters, characters, punctuation marks, and substitute characters for letters inside of words. If you think something simple like 12345 or even something as sneaky as 54321 is a great password let me tell you, you are an easy target for compromise.
A Quick Look at Passwords Making your current passwords stronger:
Avoid “Stock” Passwords:
Spring2018 (less than 1 day to crack)
$pr1ng_2oi8! (less than 1 day to crack)
Avoid Dictionary Words:
Ihatepasswords (less than 1 day to crack)
I HATE [email protected]! (1Day)
I_h4t3_p4ssw0rds! (8 Days)
Try Passphrases. Something New and More Secure:
If you want to live a happy life, tie it to a goal, not to people or things. (Error to long)
Iywtlahltitagntpot (52 Centuries)
To be, or not to be, that is the question (4,088,960,191,467,738 centuries)
I don’t want change, I want Swiss cheese! (85,165,841,566,728 centuries)
Who approved Chad’s PTO? (12,916 centuries)
Using a Password Generator/Manager
Do you have a bad memory? Are you that person who forgets someone’s name two seconds after you meet them? Are you the person who has a notebook filled with passwords on your desk? There is hope for you.
A password generator/manager is software that is heavily encrypted and stores your many passwords for you. It can be used as a password generator for the application you are logging into and then “lock it up” inside the vault. This is a very attractive option for the absent-minded, the person who has hundreds of password-protected applications, or anyone who is dedicated to taking security seriously.
Making the Adjustment
I would encourage you over the next few days to take a short inventory of the applications you use and the passwords you’ve chosen for them. If your password is essentially the same for each one please know this; you are an easy target for compromise, you are a liability for your organization and your personal accounts, and there is a solution to make compromise less likely.
Make the adjustment to long, secure passwords, and consider managing and storing them in a password vault and using a password generator.