How to Make Your Passwords Worthless to Hackers

How to Make Your Passwords Worthless to Hackers

Passwords have been around since the dawn of computers. Initially they were meant to prohibit employees from accessing the wrong accounts and keep competitors away from your company’s trade secrets. However, they have long outlived their effectiveness in today’s cyber risk world.

According to Verizon’s 2017 Data Breach Investigation Report, compromised passwords are, by far, the most prevalent gateway for hackers to get into personal and company information. 81% of data breaches last year occurred via weak or stolen passwords. Believe it or not, 17% of users still use 123456 and 10% use password as their passwords.

Here are six password strategies to keep bad actors at bay.

Create Hard-to-Guess Passwords

There’s been a lot of discussion about what makes up a good password. Most organizations endorse a password practice of length, made up of alpha, numeric and special characters. The problem is you may not remember it if it’s too difficult. Even worse, you’ll store it on a sticky note beside your computer, so you can reference it often.

NIST recently came out with a recommendation to choose a very obscure long phrase, something you only know. For example, your favorite movie as a kid. Or your childhood best friend’s first and last name. Their research states the right choice, if it is more than eight characters, is more effective than a combination of letters, numbers and special characters.

Use Different Passwords for Different Apps

If you use one or two of the same passwords for many sign-ins, you will make a cybercriminal’s day. Create a unique password for each sign-in.

Change Them Often

Establish a policy regarding password changes. I recommend they be altered at least every 90 days.

Use a Password Manager

Only want to remember one password? Companies like Dashlane, LastPass, and RoboForm store all your passwords in one location.

Use Multi-Factor Authentication (MFA)

First, there were passwords. Then, there was two-factor verification. Now, prepare for multi-factor where a password, code and something unique to you (i.e. voice, face, fingerprint) identifies that you should have access to that data.

While MFA isn’t available everywhere, I strongly recommend you implement 2FA now, so when the next layer is available, you are ready.

Check for Email Breaches on a Regular Basis

Using a tool like have i been pwned? can help identify which applications associated with your email address have been compromised and the type of data that was stolen. Change passwords immediately for those apps at risk.

 

Brought to You by Axiom Cyber Solutions

Even with the best password strategy, you still need a holistic solution that makes your company’s data nearly impenetrable. We’ll monitor your network 24 hours a day and update your systems hundreds of times per day to ensure your organization has the highest levels of protection. Give us a call today at (800) 519-5070 to learn more!

Using “Three” To Create a Strong Password

Using “Three” To Create a Strong Password

If there is one thing we’ve learned from the hacks of LinkedInMySpace and most recently VerticalScope, it’s that people are really bad at creating strong passwords.  Whether it’s due to laziness or simply the difficulty of remembering complicated passwords, cyber-criminals are able to capitalize on this practice to hack into accounts or sell this information so that others can.  And since people often use the same password for multiple applications and websites, this gives hackers the potential to takeover accounts elsewhere as well.

 Hackers commonly look for passwords composed of:

  • Words in the dictionary
  • Dates
  • Familiar sequences of numbers (e.g. 123456) or letters (e.g. qwerty)
  • Information commonly found in social media updates (e.g. anniversaries, nicknames)

Face it, people use these as passwords because they make sense and are easy to remember. Unfortunately, though, it’s also relatively easy for hackers to crack them by using programs that quickly run through thousands and thousands of known options like those above.

To be safer, it’s crucial to have a strong password that takes so much effort to crack that it’s impractical for a hacker to attempt to. For a password to be considered “strong” it should really be a combination of lower and upper case letters, numbers and symbols, be at least 12 characters long, and NOT fit into one of the above categories.  It also needs to be changed regularly which, unfortunately, makes it even more difficult for most people to memorize.

So the challenge is to create a unique password that is easier for us to remember, but is nonsensical enough that it cannot be cracked easily. And we have to be able to change it and still remember it.

Here’s a “formula” that might help you create a strong password that not only will you be able to remember, but will also be very difficult to crack.  It’s based on the power of “3.”

Power of Three

Have you ever noticed how often you are naturally drawn to something composed of three things or divisible by three?  How many stars are in Orion’s belt and how quickly can you find it on a starry night? How many rows in an 18-pack of eggs? If you look at a picture of two triangles compared to one of three triangles, which gives you a sense of completeness? Count to 48 by three’s. Count to 48 by 4’s.  Which was easiest?

For most of us, the model of “three” is something we’re more naturally drawn to.  So to make a memorable password, create one made up of combinations of three.

Here’s an example:

Choose three things in your past that are somehow related, such as the elementary, middle, and high schools you went to (or three favorite cousins, etc.).  What are the first three letters or three initials of each?  Write those down, but capitalize the letter that corresponds with the order in which they came into your life (such as the order you attended the schools). Now put a number next to them ranking them from your most favorite to your least favorite. Now write down the three-digit number that creates. Next, to make things less predictable, put your favorite symbol (for example !) next to the most memorable one. Lastly, combine all the results.

The table below shows how this looks and the resulting password.

You’ve now created a password that makes sense to only you and would not be easily cracked.  It can also be remembered with a little bit of effort.  But the real trick to remembering it is committing it to muscle memory.  So once you’ve calculated your password, type it at least 30 times until it becomes ingrained (you might need to do this a few times). To more effectively memorize it, type it in the groups of three that you created – Spr…wAs…!…chA…231 – (like a dance step).

When it comes time to change your password, just move one of the groups of three to another position, such as 231SprwAs!chA.  (You can also change the three digit number as the order changes.) Again, type the new password 30 times or more until it becomes ingrained in your muscle memory.

Lastly, a good thing to do is have a different password for everything you log into. In this case, just add three letters from the application or website name to the beginning or end of your password (e.g. “Lin” for LinkedIn results in SprwAs!chA231Lin).

The key here is using multiple groups of three to create a unique password that you’ll be able to more easily remember.  Then repeatedly type it until it comes naturally when you need to enter it.