You are viewing our site as an Agent, Switch Your View:

Agent | Broker     Reset Filters to Default     Back to List

I H4TE [email protected]$$W0RD$!

December 12 2017

lwolf HatePasswords

We've all had that dreaded message appear, "Your password has expired, please create a new password."

The IT folks that manage our systems tell us that we can't use the same password we've used before, it must contain special characters, it must x characters in length...ARGH!!! This is extremely frustrating. Don't they know that we have better things to spend our time on than remembering passwords and their archaic requirements?

Being one of the aforementioned IT folks, I'd like to give you a few tips to make your life easier and hopefully even more secure.

In our day to day lives, we can no longer escape having to secure our online presence. Today, we use passwords to access our smartphones, computers, cloud services, banking, etc. We've all been told we shouldn't use the same password for multiple services. By doing this, we can prevent someone who gets your login information to your computer or smartphone from being able to access your online banking.

But how can you be expected to remember all the different passwords you're supposed to use? The answer is simple. Get yourself a password manager application: a password protected software application that stores multiple passwords for different services on your smartphone or computer. This software is extremely handy in a number of ways.

  • You only need to remember the password for the application and you can look up the other passwords you may need.
  • There are free and low-cost options available for PCs, Mac, Apple and Android devices.
  • They are encrypted so even if someone gets access to your computer and/or smartphone, they won't be able to see all your passwords (provided you didn't use the same password to login that you are using for the password manager—and who would do that?!)

Next, we need to start thinking about all the things you are using a password for. This usually falls into one of five categories: work, banking/finance, personal email, social media and smartphone. Ideally, we (the IT folks) want you to use a different password for each and every application. Believe it or not, we are also realists and understand that our password utopia is not your reality. That being said, I would personally urge you to, at a minimum, keep separate a password for each of those five applications.

A good security practice that you can start implementing right away is to stop using passwords and start using passphrases. What is the difference between the two? A password is usually just a single word or combination of letters, numbers and/or symbols and is usually less than 15 characters in length. They can be cryptic and difficult to remember and change. A passphrase, in comparison, can also have the same composition. However, it is usually much longer in length and may also contain spaces. Additionally, a passphrase can also contain symbols and it does not have to be grammatically correct. This flexibility makes it much easier to remember.

A good comparison of the two is "[email protected]$$W0rd" and "My password is Actually [email protected]$$w0rd." When you see "[email protected]$$W0rd," you may think it's secure. It's eight characters, has a combination of uppercase, lowercase and symbols. But the problem is, it is a very widely used word and the substitutions are all very commonplace—@ for A, $ for S and zero for O. On the flipside, the passphrase, "My password is Actually [email protected]$$w0rd" would be significantly stronger. It is 32 characters in length, and although easy to remember, would be extremely difficult to crack based on its length and variety of characters.

"[email protected]$$W0rd" would be guessed via a brute-force attack in about one minute with a botnet, while the passphrase would take approximately 5 tredecillion years to crack5 tredecillion years to crack. How's that for security?!

More and more applications are starting to use Single Sign-On (SSO). This is a technology that allows you to log in to multiple services using a single set of credentials. There are many sites today that allow you to login with your Facebook, LinkedIn or Office365 credentials. Although this makes life much easier for the user, from a security perspective, it widens the threat landscape. By that, I mean that having all those accounts linked will make it much easier for someone to access many of your online accounts if your credentials are ever compromised.

SSO is a very good technology and much less risky when used with Two-Factor Authentication (2FA)—or as Google® calls it, Two-Step Verification. 2FA works on the premise of providing access based on something you know (your password) and something you have (a token/SMS message). When you sign up to a website or service that supports 2FA, you will first login with your username and password and then the application will send you a "token" (typically a random code) to your smartphone. You will need to enter the token on the website before being able to log in successfully.


Now, like most IT messages, you probably skipped half of what I wrote. So here's a quick summary:

  • Use a password manager
  • Use passphrases where possible
  • The longer the better
  • Change them regularly
  • NEVER use the same password for your password manager that you use for anything else
  • Use Two-Factor Authentication (2FA) whenever possible
  • At a minimum keep six different passwords: work, banking/finance, personal email, social media, smart phone and password manager

To view the original article, visit the Lone Wolf blog.