Skip to content

Password Smarts

Havoc Wreaked by a Weak Password
Silver Prize Winner of Educause's Information & Security Awareness Poster & Video Contest 2011

 

As more and more aspects of our daily lives migrate to an online medium -- banking, shopping, social networking, etc. -- account security is becoming increasingly important. 

Unauthorized access to your email or social network accounts may seem like little more than a nuisance, but think about what could happen if your bank or credit card account information was compromised. How much damage could be done to your identity and financial security if that happened?

Fortunately, there are steps you can take to secure your accounts and prevent unauthorized access, starting with your passwords. Here are some rules for keeping your online accounts safe:

  • Rule 1: Use different passwords for different services.

    You may have one really complex password but if you use it for all your accounts, it takes one compromise for all your accounts to be compromised. By using different passwords for different account, you make it more difficult for others to access your account.

    Imagine if you use the same password for your e-mail account and an online shopping account, like amazon.com. If your password has been compromised, somoene could order items from your Amazon account to be sent to a new address and if a confirmation goes to your e-mail account, they could delete it before you see it.

  • Rule 2: Create complex, strong passwords.

    Passwords are the weakest form of security but are commonly used to secure access to IT systems because of cost effectiveness. The more complex you make a password, the longer it would take a malicious user to correctly determine the password to gain access. Some people find it difficult to remember random passwords, so a passphrase may be an alternative. Passphrases are normally longer than passwords (20 or more characters) but are usually easier to remember.

    Take a little time to develop a solid approach to creating strong passwords. Rather than reusing passwords, the best approach is to create your own system. For example, you can create passphrases using successive lyrics from your favorite song to create an acronym with some encoding. After six months of one line, move to the next line.

    • Make it easy to remember and easy for you to type accurately.
    • Avoid making it too personal so that someone who knows you well would not be able to guess.

    Creating a Passphrase

    Passphrases can be stronger than passwords because you are creating your own acronyms and not using chunks of words found in the dictionary. A planned passphrase approach, makes changing passwords on a frequent basis easier, thereby improving your account security. Here are a few options for creating passphrases.

    In all cases you want to incorporate numbers and special characters to increase the strength of your passphrase. This may sound complicated but it simply means to swap out some letters for characters. For example, the letter "i" could be and exclamation point (!) or the letter "o" could be the number 0.

    Song Lyrics

    This is a great option because you can move through the song, using it create new passphrases for a year or longer. Here's an example using Sam Cooke's, A Change Is Gonna Come:

    !w88tr!alT = I was born by the river in a little tent

    0&jltr!8reS = Oh and just like the river I've been running ever since

    Here's the pattern followed:

    • Letter i is replaced by !
    • Letter o is the number 0
    • Each passphrase ends with an uppercase letter
    • Ampersand symbol used for word "and"

    Phrases You Can Easily Reuse

    Here's an example using the history of pet names. Using similar swaps as the song lyrics you can go through all the pets you've had in your life. Or it could be car models, street names of where you lived, your favorite books, your favorite movies, etc.

    t1d!hwnS = The first dog I had was named Scooter.

    t1c!hwn^^P = The first cat I had was named Mr. Puff.

    t2d!hwn8 = The second dog I had was named Ben.

    Other examples "The first street I lived on was Nottingham Way," and "My favorite book as a child was The Lion, The Witch, and the Wardrobe," and "My favorite book as a teenager book was Animal Farm." Notice these use information that can be easily recalled by you and may be personal, but creating acronyms from phrases would make it almost impossible for someone close to you to guess your password.

  • Rule 3: Change Your Passwords Regularly

    Set a password changing schedule.

    Some security experts suggest changing passwords on sensitive acccounts every 30-60 days. (How often do you change your banking account password?) At the least, consider changing passwords every 6 months. What are some ways to establish a schedule:

    • Change all your account passwords when you change your clocks for Daylight Saving Time.
    • Change your passwords on the first of every month after you finish paying bills.

    Why is it important to change passwords regularly? Because each time we use a password, we're passing that information to the Internet. Even in an encrypted form, the more often that password is sent to the Internet, hackers are able to target it.

  • Rule 4: Know What Makes a Password Vulnerable

      • Mistyping your password into the username field. It's happened to the best of us: you accidentally type your password into the username field and try to log on. When you do this, you've just sent your password to the Internet without any encryption. The moment this happens, change your password.
      • Using known information about ourselves as the basis of a password. Avoid using birthdays, anniversaries, names of family members, street address, etc.
      • Storing your password on your computer/smartphone. Yes, it's convenient, but before you click "save," consider who has access to your computer or phone and thus to your various accounts.
      • Using complete words.
      • Using repetitive characters.
      • Using any of the popular passwords.
      • Using the same password across multiple accounts.
      • Writing down your password -- while it's best not to document passwords anywhere, sometimes the variety of passwords and accounts you need to maintain makes this impractical. If you do document your passwords, protect them like you would your money.