It’s January again, and we all know what that means.
Resolution Time!!!
Eat healthier, save more, quit smoking, start exercising, and all of the other classics.
January is also a common time to review security practices and update passwords. 2015 ended with some staggering numbers on an ever-increasing amount of data breaches:
Medical/Healthcare field – 112 million records breached
Government – 34 million records breached
Banking/Credit/Financial – 5 million records breached
Dec 29th – Database containing 191 MILLION voter records was breached
A good sign is that FI’s were at the low end of the scale. This is a good indicator that on your end, security measures are probably pretty strong.
But the weakest link in any system is often the password. And this list of the 25 Worst Passwords of 2015 reminds us to revisit the basics of strong password security.
Strong passwords are important, but don’t have to be impossible to remember. Here are three factors to strong passwords and ways to use them while keeping the passwords “human-remember-able”!
1 – Make it as long as allowed, but easily-memorized
Password strength is directly related to how long it is. It makes sense – how many guesses would it take you to guess a 1-digit number? (Hint – hopefully not more than 9!) Or a 1-letter combo? How many guesses would it take to guess a 3-digit number? One thousand. You can see, just by adding a tiny amount of length, we’ve greatly increased the strength of our password.
Steve Gibson of GRC explains it very well (although a bit on the technical side) on his password website. Simply put, just by adding length, you exponentially increase the strength without necessarily making it harder to remember. (Check out his password analyzer. You can watch the “time-to-crack” increase with each digit/letter/symbol you type.)
So when the site requires a password of “8-32 characters” use 32! But those 32 characters can be a string of words you find funny, or relevant, or easily-memorized. A classic example is the phrase “correcthorsebatterystapler”. Four normal words that are funny enough when strung together that they would probably stick in your mind pretty well. And that phrase would take over 20 TRILLION CENTURIES to crack according to the GRC analyzer.
2 – Mix it up! Use all the varieties of characters allowed.
42% of all passwords consist of only lowercase alphabetic characters. So any amount of uppercase letters, numbers, or symbols and you’re already ahead of almost ½ of the pack. Using our above example, if you added 4 digits to end up with “correcthorsebatterystapler1234” you would need 160 BILLION TRILLION CENTURIES to crack. And that’s not even using uppercase letters or symbols.
3 – Update passwords periodically, and keep them secure.
We are human – creatures of habit. So it’s all too likely that some (or many) of you still have the same password as in high school. And it’s probably taped inside your desk drawer, or sticky-noted to your monitor. When you use the above tips and have strong passwords that you can remember, be sure to change them several times a year. And if you cannot remember them all, consider using a password manager (like one of these top choices from LifeHacker) instead of writing them down.
A last note not so much about password strength but about individual behavior:
The best method is to use separate passwords for every site. However, if you (or your clients) are the type to use one password everywhere, please RESIST THE TEMPTATION to use the same password for your financial and credit accounts as you do for your Eighties-Hair-Band-Fan-Club.Com membership! At the least you must have a distinct password for each financial site.
The beginning of the year is a great time to put out a reminder about security and specifically password strength. These tips are just as applicable to banks or CU’s as to a user who is creating a password. Keep in mind that if your requirements limit them, you are hobbling the security system you’ve worked so hard to put in place by having weaker passwords.
(Disclaimer – this is not intended as technical security advice. Our intent is to foster a better understanding of common-sense security measures and to get you to think more about your password security.)
Sources:
Credit Union Times Jan 7 Article on The 10 Biggest Data Breaches of 2015
Fortune Dec 29 Article on Voter Records Breach
Gibson Research Password “Haystack” Method
