Much has been said about the recycling of passwords and, in spite of that, we still have 57% of users recycling passwords. This means that the password you are using in your bank account is the same password that you use for social media accounts or to order pizza. Whenever any of these organizations get hacked and all the passwords are spilled in the black market for grabs, it is not difficult to access all of your accounts because there is a 57% chance that the same password that was used at pizza website will take the cyber intruder to your bank account.
Why is it so difficult for people to embrace a system of secure passwords?
Because the problems that arise in cyberspace domain do not cause physical pain, a reaction of immediate and physical fear like the reaction caused when a thief with a knife approaches you at the ATM.
What if I tell you that you can have 20+ different passwords, that you can carry them in your Notes (iPhone) or Evernote (other smartphones), that you do not have to rely on systems like LastPass (which was hacked already) or any other third party to hold the key to your accessing your important information.
This is how you do it:
You will select a phrase that are very close to you, and that you did not post all over social media platforms. The phrase I will select for my example is United We Stand Divided We Fall. Then, you will select the first two characters of that phrase to create a baseline: UNWESTDIWEFA
This baseline has dictionary words in many languages and it is still not secure. We will use the language Leet to convert vowels into numbers like this: A =4; E=3; I=1; o=0 and I also like to convert the letter L=7. Then, the baseline will look like this using the upper and lower case system of your choice: UnW3StD1W3F4
Although this is a better construed password, it is still easy to crack. So to make the life of cyber crooks more difficult, we will add any of the following markers: ! @ $ & You will put this marker not farther than the fourth character from the beginning and from the end. It will look something like this:
This password is still short because we want to see at least 16 characters. So, you can add your favorite numbers at the end:
Now, we have a password that with today’s technology will take about three months or so to crack. A password that cannot be cracked in at least 24 hours is useless for cyber crooks who need to turn things around quickly.
How can you make one of each account?
If this passwords !UnW3StD1W3F4$5326 is for your email account, you can change it to U!nW3StD1W3F4$5326 for one of your social media accounts; and to UnW!3StD1W3F4$5326 for another one of your accounts. Remember I said do not pass the fourth character in the beginning; you your next combination can be &UnW3StD1W3F4$5326. And just like that, you can have many many different password without having to remember much about them.
Some organizations do not allow passwords longer than eight characters. For those places, I recommend that you always start your password with a special marker and end it with one: &UnW3St&
How do you store this password in your notes to keep it safe?
You do not write the actual password but a hint. So for this password, I would write:
Social Media 1: ! in second America$#
Social Media 2: ! in fourth America$#
Only you know what you mean by America, and only you know what number you have chosen. Do not use your date of birth, marriage, etc. Maybe you want to use the date of your first kiss, unless you also plastered that date all over social media platforms.
Do I change password every month or every three months?
NO!! And many other cyber geeks have written about the recklessness of asking people to change their passwords every three months. According to Mandiant/FireEye, it takes organizations in private and public sectors alike an average of 265 days to realize that they have been compromised. Thus, when you have your employees change passwords every three months or whatever the routine is, two things happen: 1) if you already have intruders in your servers, you let them see the new collection of passwords; and 2) employees become lazy and do not construe long secure passwords but the type we see whenever a system gets breach: password123; padres123, etc.
I am aware that most government organizations ask you to change passwords every three months. If this is your case, you can create a secure password and only change the numbers at the end. When the system tells you that the password is too similar, you write it backwards. This is a practical way of complying with the regulations and at the same time giving the Italian salute to the ridiculous and insecure system.
When do I change my passwords?
When the organization is compromised and because you did not recycle the password, you only need to change it for that organization. The change can be very subtle like moving the special characters to the right or the left so you do not have to recreate another phrase.
Some of my customers like to use a phrase for all financial accounts and a different phrase for the rest of their accounts.
For non-important websites that require passwords and where you do not have your credit card or other form of payment information stored, you can use Blur (dnt.abine.com).
This is all for now folks! Do not procrastinate. Start changing all unsecured passwords today.
Meta brings the course Risk Management When Online to your organization regardless of where you are located. Watch this short clip: https://www.youtube.com/watch?v=aRXazQuPzFs Then call us to schedule training for your team or organization.
About the Blog
This blog is updated on a bi-weekly basis and it will address a variety of topics concerning cybertechnology, privacy and ethics in the cyberspace domain.