Is there anyone out there who doesn’t know that a more complex password is a better, safer password? Yet we still see people with passwords that are ‘1234’ and when they really want to add that extra layer of security they go with ‘12345.’ Those aren’t the sort of creative passwords needed to reduce the risk of being email hacked.
At the same time the average person isn’t going to be able to remember multiple passwords that look something like; ‘$e1/|W6w@!12.’ So what’s the average person to do? What can you as a security professional do to get your users to strive for more secure passwords? Yes, you can set parameters that say they have to use so many characters, specific characters, etc. But you can help them learn creative passwords that will help them at work and personally.
1. Use Passphrases
As an example, I lived on DuPont Street for a while growing up and my best friend was Jerry Taylor. At the very least, which still leaves a bit to be desired, you could do ‘dup0nTj3rry.’ You’ll see in a second why that might not be the most desirable. Something better would be ‘djU3Pr0RnYT!’ I just simply blended the two words together.
2. Avoid Common Character Substitution
Above you see that I used a ‘0’ in place of an ‘o’ and a ‘3’ in place of an ‘e.’ Be careful doing this. You may want to consider altering between the common character (o) and the substitution (0) so one or the other isn’t always used. The goal is to not be predictable in character substitutions used the same way each and every time is predictable.
3. Check Your Password's Strength
Go to a site like The Password Meter and enter your passwords; this will give you an idea on the strength of passwords and what you can do to strengthen them. By the way, ‘1234’ and ‘12345’ both have a password strength of 4% so no one is being fooled! (Well, maybe you).
4. Change Your Passwords Often
Modern mom’s don’t ask their children if they changed their underwear, they asked if they changed their passwords. Seriously, change your passwords regularly.
5. Create Individual Passwords
You have accounts on 1000 sites and each require a password? Having individual, creative passwords on each? Rubbish you say? Again, this is creative. According to The Password Meter the made up password ‘cNl2!m8pZ’ gets a 98%. Let’s say you need a password for the Seattle Times and Groupon site. You could do ‘cNl2!m8pZ_sttltms’ and ‘cNl2!m8pZ_grpn’, just removing all vowels to spell the site name at the end. That would allow you to have secure passwords on each site.
6. Not All Passwords Need to be Equal
Having a strong password for financial information or corporate intellectual property is much more important than having a strong password for your weekly grocery shopping check list site. You wouldn’t leave a stack of 100 dollar bills out in plain sight, you would secure it in a bank or maybe a safe. You probably wouldn’t do that with your favorite recipes or some coupons. So always consider using the strongest passwords for the strongest needs.
Start teaching and using creative passwords and be sure people don’t become complacent. All a person needs is one hacked email account and you’ve opened a can of worms.