Cybersecurity Tips: Passwords
8 characters, one capital, one lower case, one number, one special character.
Or so they told us. Unfortunately, those simple days have passed us by!
Having strong authentication is an absolute necessity nowadays, and that begins with strong passwords.
But what really makes a strong password? This has been debated over the years – but if you are using any password in this list, please change it. Right now. It would take mere seconds for a password cracking program to solve these!
The best passwords are random strings of at least 12 (and preferably 16+) varied characters. They also do not form a single word or common combination in any language. There are many options for creating a password: Take the first letter of every third word of your favorite song or poem. Combine two words (“Lawyers Mutual” becomes “LMauwtyuearls”) then add in some numbers and characters throughout. Or better yet use a random password generator available for free on many anti-virus or password manager sites.
An alternate solution that modern research argues is more secure is a long passphrase. Here you use a string of words without spaces of at least 30 characters (maybe you can get away with 20, but 30+ is much better). Do not use common phrases found in music or literature. One idea is to use something that has meaning to you: “Onmydaughter’s14thbirthdayshegotaredbike&lovedit” (48 characters). Another way is to be whimsical: “IgloosrideRabbits4Santa’swhimsy” (31 characters). Have fun with it!
Now for the really hard part: You should also not repeat passwords between accounts. Gasp! Now you are counting all your passwords and realizing how many you use. The reason is logical: if one is cracked or discovered, the rest of your accounts will still be safe. However, a password is only secure if you remember it and only you can access it – which means do not write it down and tape it to your monitor or of the bottom of your keyboard.
So smart guy, how will we remember 50 different random passwords without writing them down or saving them to our browser? That is where password managers can be helpful.
Some research is required here as there are free and paid solutions, along with enterprise solutions you can get for your entire office. Since you are putting all your eggs into one basket, it is imperative to be comfortable with the security of that system.
Look for programs that have at least 256-bit encryption and are “zero knowledge security” meaning the provider cannot look up your password/passphrase to access your account. Check the company’s track record and history to see if they have suffered a breach and how they responded if there was one. A few examples to start you on your journey without recommending any in particular: LastPass, Keeper Security, 1Password, Dashlane, and there are many others.
So now you know how to create secure passwords and passphrases! But this is only one piece of the strong authentication puzzle. Stay tuned for more next month!
About the Author
Patrick Brown
Patrick is the Vice President of Enterprise and Operational Risk Management at Lawyers Mutual as well as filling the roles of Corporate Secretary and Director of Information Security. He is an NCSB board certified specialist in Privacy & Information Security Law and has been designated a Fellow of Information Privacy and a Privacy Law Specialist by the IAPP. He is always happy to talk about his collection of tinfoil hats or to discuss risk management advice and resources that you may find helpful - you may reach him at 800.662.8843 or patrick@lawyersmutualnc.com.
Read More by Patrick >