The Art and Science of Passwords

Using and managing passwords is a drag, but the fact remains they are the keys to our information kingdom and for the foreseeable future, an inevitable part of everyday life. Weak passwords and repeating the same passwords are common in and out of the workplace, and represent one of the weakest links in our chain of cyber defense both personally and professionally. In this blog, we offer hints and techniques you can use to increase the effectiveness of your passwords, and better defend your increasingly vulnerable information and digital assets.

 

First, we will list some important considerations that are derived from password science and analytics, and then offer suggestions that incorporate these findings in useful techniques and approaches for your everyday use.

 

password_note_123456.jpg

 

“The strength of a password is a function of length, complexity, and unpredictability.”

Important Analytical Considerations

 

  • Multiple character types alone will not help. Using different character types, such as upper and lowercase letters, numbers, non-alpha characters, and Unicode symbols alone does not make a password more secure.

  • Length is the most critical component of effectiveness. A hacker can crack an eight-character password in less than a day with "brute force" techniques. By contrast, one with ten characters will take over 18 months using the same techniques and technology. Mathematically, increasing your password length will exponentially increase its complexity and effectiveness.

  • Hackers use common password intelligence- Modern hacking technology incorporates the knowledge of most often used passwords. For example, “Password1” is still the most-used password in the U.S. and many hacking programs build in 10’s of thousands, if not 100’s of thousands of known combinations to their cracking process.

  • Password hacking technology uses common keywords- Hackers know what is on our mind when we try to craft a word we can remember. Advanced hacking techniques include the incorporation of common keywords such as popular names for babies and dogs and top cities and states.

  • Replacing letters with numbers or symbols doesn’t help- Modern password hacking technology can “guess” the replacements based on pattern recognition of known words. For example; “ba$3ball” is not a viable replacement for use instead of “baseball” (the 8th most popular word).

We should assume, for now, that passwords are the de facto authentication feature for the foreseeable future, and learn to use the science and math to our advantage. With this in mind, we offer some ideas and techniques that will substantially increase the complexity and effectiveness of your passwords, but remain broadly manageable and useful across your use of technology.

 

Useful Password Hints and Techniques

 

  • Length – Use the law of long numbers to your advantage and commit to using a minimum of 10 characters to construct every one of your passwords. In fact, make it 14 if you can. The difference in complexity and security is astronomical.

  • Complexity – Multiple character types combined with length equates to complexity. By definition, it “complicates” the task of creating and remembering the password, but is a necessary component to the process.

  • Unpredictability – Avoid the common passwords and keywords hackers expect you to use. If you are going to use dictionary words, a random sequence is a must.


Putting It All Together

The ideal approach is to use a random password generator of maximum length, but for many it is simply not practical. As an alternative, spend a bit of time to pick a favorite phrase, short quote, or long song title. Choose a mnemonic or something that will cue your memory of the phrase you are creating. For example; “Mary had a little lamb” could be the basis for the unpredictable phrase "Mary had a big horse" - and then hash it up for complexity, something like this:

<aryHAD@bigHorsE.

Or, as another example the mental prompt "Roses are red" could be used to cue the unpredictable phrase "Violets are green", and then hashed for complexity:

>iolet$r=GreeN! 

We strongly suggest storing the keys to your accounts in a password manager. A password manager can create randomly generated, long and complex phrases, and access them with the use of a single password you create using the technique we describe above.

There are important considerations to take into account before adopting and using a password manager. Stay tuned for our future report that will detail everything you need to know before choosing and committing to the password manager of your choice.

 

 Subscribe   Cyber Security for Life.

Subscribe to our newletter to be informed, updated, and empowered for safety and success in the Information Age.

 

Share:

Subscribe Here!

 

Includes the monthly CyberAdvisor Letter.

 


 

calendar_icon

Calendar of Cybersecurity Education and Speaking Events

 

Recent Posts