If you are responsible for training employees about security within your company, you probably have run into a disconnect between the need for secure passwords and the reality of the passwords being used. Maybe even within your own department, you know that passwords may not be as strong or changed as regularly as they should. Knowing why something we should do is important is not always enough. Your organization’s employees need real, helpful ideas for creating and remembering strong, unique passwords. You can share this article and our April Security Tip to give them usable tools for secure passwords.
Keep in mind, sharing (and documenting) regular, ongoing security awareness information within your organization is more effective than a boring, costly, annual training session and it helps satisfy HIPAA requirements to train employees. That is why we create tips like this monthly for you to use and share.
Should’ve, Could’ve, Would’ve Used a Better Password
The tools and tactics used by cybercriminals are expanding and evolving every day. But still, all too often major, costly, even devastating breaches are caused by the curse of “password123” – simple or default passwords that are easily hacked. When a breach occurs, it highlights what you should have done to better protect your data. The tragedy is that this often translates to what could’ve been done or what would’ve been done if you and your team had the tools or better understood how to create and use stronger passwords. Employees do not use easy passwords to put the organization in danger – they do it because they’re easy! And strong passwords are perceived as hard. But there are tricks to make creating and using secure passwords easier.
What Makes a Strong Password?
Conventional wisdom holds that a secure password must:
- Have 12 or more characters – a mix of letters (capital and lower case), numbers, and symbols.
- It should not use dictionary words.
- It should not rely on obvious symbol substitutions such as 1 for “i” or 3 for “e” (hackers figured that out a long time ago).
So this means that a “secure” password is something like gaY6bacu2exukef. Yikes. I can’t remember that! But you can create a password that good that you can remember. You just need to know the tricks.
Use a Song or Quote
Instead of a string of random words, you could use a line from a poem or song, a movie, inspiring quote, even a Bible verse to create a very strong, unique password that you can easily remember.
I find lines from songs to be easiest to remember…”I’m all out of love, I’m so lost without you” becomes Iaoo<3IslwoU.
Lines from movies are also great – it is probably best to avoid really iconic lines, like this from Fight Club, although, the password you create can still be very unique. This line could be written as w2FC*31stroFCisUdntaFC. There could many variations and that is what makes this passphrase secure.
Taking this idea to the next level, a random string of words can also be turned into a very secure string of random-seeming letters. To remember a nonsensical grouping you could picture something like this picture of Abraham Lincoln, Cleopatra, a Lamborghini, and the Eifel Tower. This silly group of pictures would even be safe to print as a reminder if necessary. The password from this image could be I6$5&cleodalambo3P…“I see (6) Lincoln (on the $5 bill) and Cleopatra driving a Lambo thru (3) Paris” – silly, I know.) Again, there could be several ways to create a password from these pictures.
Taking this idea to the next level, a random string of words can also be turned into a very secure string of random-seeming letters. To remember a nonsensical grouping you could picture something like this picture of Abraham Lincoln, Cleopatra, a Lamborghini, and the Eifel Tower. This silly group of pictures would even be safe to print as a reminder if necessary. The password from this image could be I6$5&cleodalambo3P…“I see (6) Lincoln (on the $5 bill) and Cleopatra driving a Lambo thru (3) Paris” – silly, I know.) Again, there could be several ways to create a password from these pictures.
Use a Tricky Keyboard Pattern
Draw a pattern or an image on the keyboard with the letters of your password. “QWERTY” is not a secure keyboard pattern password. For this to be effective, you should alter directions – go left to right, right to left, up and down. A straight pattern of diagonals or lines from left to right could ultimately be guessed by a hacker with a program coded to try possible combinations of adjacent keys. This kite symbol, however could be typed starting from it’s center as Gfdsw2#4%tgbnm<lP.
Use a Random Password Generator
If you are thinking these ideas just take a little too much creativity for you to use on the fly, you can try a random password generator like the Identity Safe tool from Norton. I suggest setting your parameters – 12 to 15 characters including mixed case letters, numbers, and punctuation. Generate ten or more password suggestions and then look for one that you can make a silly word or sentence from.
For example, I could learn this password – cUsTeFRabev3 by memorizing “Custe-F-r Abe Version 3” and picture Custer and Abraham Lincoln. The F is tricky but the strange sense I can make of the rest leaves me much less to memorize.
This password – stewaceXam2y could stick in my head as “Stew Ace Crossed Amy2” – again the placement of the 2 is troubling but if that is really the only thing I have to remember I think I could (or I could bump the 2 to the end if I wanted to).
Use a Passphrase
A passphrase is made up of 4 our more random words strung together. The illustration below shows how much more difficult four simple words can actually be for hackers to guess.
To be secure, a passphrase must:
- Use words that make no sense when strung together (not a sentence or phrase).
- At least one should not be in the dictionary – maybe a nickname.
- One could also be misspelled in a way that you can remember.
- Use less obvious symbol substitutions like 3 for “th” (because three starts with “th”) or 6 for “s” – such substitutions are still inadequate on their own but, as part of a passphrase, they add another layer a hacker would need to decode.
A Strong Password Still Must be Protected
No matter how unique or complicated your password is you still need to protect it. If your beautiful, perfect password falls into the wrong hands, it’s useless.
- Use Two Factor Authentication whenever possible. Your phone is almost always sitting right there with you anyway, and it only takes a few more seconds.
- You still must be wary of phishing scams and dangerous malware. If cyber criminals get your password, it might as well be “password123.”
- Change your passwords regularly. Sorry, I know it’s hard, especially if you really are trying to be creative. You may want to keep a running list of song lyrics or memorable quotes to use in the future – whenever you’re on the spot trying to think of something it seems impossible. But the options and combinations really are endless.
- Do not reuse your perfect password. Sorry again. With every account you duplicate, it becomes that much less special and secure.
If You Still Need Help Remembering
If you just have too many accounts and too many passwords to remember, you can try a password manager tool like Dashlane or LastPass. These can be set up quickly and can alleviate the need to remember a lot of passwords. I suggest you prioritize your most important passwords – like your work login(s), bank accounts, and email. Try to keep these unique, complicated, and updated often and perhaps use a password manager for others.
Pick the Password Trick that Works Best for You
Everyone’s brain works differently. Some of the suggestions above probably seem absurd or impossible to remember for you. My combinations may make no sense to you – but you can create letter/number/symbol combinations that do. In fact, the less sense your combinations would make to someone else, the better!