Tips for creating secure passwords

A good password is one you can remember and nobody else can figure out.

While this sounds like a statement firmly grounded in common sense, like the advice to “Look both ways before you cross the street”, the #1 ranked most breached password in 2022 according to NordPass was….wait for it….. password.  Unbelievably, #2 was 123456. (1)  You can draw your own conclusions about what this says about common sense.  Sure, these are easy to remember, but also quite easy to figure out by ordinary humans using little more than a notepad, pencil, a method and enough time for systematically working through combinations of numbers, letters, and other symbols.  Hackers using high speed computers and specialized programs are at a competitive advantage and need less than a second to crack each of these top two choices.  The technology is well worth the investment for bad actors because information that is valuable enough for people to feel the need to restrict access to can lead to easy money and big paydays for the crooks in some cases.  Let’s take a look at the steps we can take to make their jobs more difficult.

Taking a closer look at the two examples of bad passwords, password and 123456, we can see that the first is an 8-lowercase-letter word that can be found in a dictionary, and the second is a sequence of six numbers.  The 2022 edition of the Oxford English Dictionary is perhaps the most complete list of words of the English language, with about 600K entries, and “password” just happens to be one of them.   Hackers can do a Brute Force attack by trying each of these 600K words, first all lower-case, then all upper case, then first letter capitalized, and so on.  The computing power they bring to the job determines just how fast they will find their prize.  Turning to the second so-called password, 123456, look at this chart showing the amazingly brief time it takes to brute force this sequence as well as combinations of letters, numbers, and other symbols.  These times will only get shorter as computers get faster.

 

 

 

Hive-Systems-Password-Table-1

The take away from this table is that longer and more complex passwords take longer to figure out.

 

Sure.  But who’s going to remember

3Fav-ZmdcEqyCE4kK?

There’s a reason telephone numbers are seven-digits long, not counting the area code, the estimated limit of human working memory capacity.  Working memory is the information of immediate use that we keep in mind while carrying out our daily activities.  It disappears after about 30 seconds.(2)  Given the limitations of the hardware between our ears, let’s review some of the steps we can take to create secure passwords that we can remember.

  • Create passphrases as opposed to passwords.  The advice has been to create a password with a minimum of 8 characters using a combination of numbers, upper and lower-case letters, and special characters, e.g., *&8gH6mU”.  Of course, remembering this will be difficult because there’s no obvious pattern.  An alternative, and more easily remembered option, would be to use a passphrase with numbers, letters, and special characters so it will be easily remembered.  Start with something you are not likely to forget and establish a rule that you apply consistently.  For example, we could use a phrase that everyone here cannot forget, e.g., “Bridges IT Dept. is the absolute best!“.  The rules for turning this into a secure password would be to use the first character of each word capitalized, except the third one, to substitute a “1” for the letter “I”, and to use the last character of the phrase.  This results in the following, B1tD1TAB!.  Please do not use any of the examples shown on this page because this is shown on a publicly available website.
  • Do Not Reuse Passwords on different sites.  If you do this, hackers will have access to every site using this password.  Create a unique password for each site.
  • Do not use words found in a dictionary.  The reason for this has already been explained above.
  • Do not use passwords with personal names or details.  Passwords with personal details are vulnerable because hackers can scan social media sites for personal details, e.g., names, hobbies, names of pets, etc., and try various combinations until they identify the password.  A good general rule to follow is that if it is mentioned on your social media, do not use it.
  • Do not use string-based passwords found on keyboards, e.g., 123456, or asdfghjk.
  • DO NOT share passwords.  Not only does this violate the principal shown at the top of the page, but it also violates Bridges IT policy.
  • Always log out and do not save passwords unless you are the only person using the device.  This is especially important on shared computers.  If you do not, the next person who uses the computer will have access to your account(s).
  • Use the Clean Desk Policy.  Make sure your workspace does not contain physical objects with sensitive information.  While a sticky note on the monitor will help you remember the password, it also makes this available to anyone who uses the same desk.
  • Lock mobile devices with a passcode or use biometric identification, e.g., a finger print or face recognition.  If you access Bridges resources with personal technology, it is a HIPAA device.  While it is okay to save passwords on these devices, if the device itself does not have a master passcode, anyone who has access to the device will be able to get into the account(s) saved on the device.  While biometric identification enabled for these saved accounts does limit unauthorized access, it is always a good practice to lock the device with a passcode and/or biometric identification.
  • Change passwords regularly.  Create a moving target for hackers by making your passwords useless to them.
  • Consider using a password manager.  Using a password manager requires users only to remember a master password to access other passwords stored therein. Password managers are also beneficial since they provide suggestions of strong passwords to secure different accounts and automatically sign in a user. Where possible, creating and automatically saving passwords using a password manager is highly recommended.  While these are strong arguments for using these managers, there is a risk in trusting one company to safeguard your data because if their servers are compromised, your personal information may be exposed. (3)

References

  1. “Top 200 most common passwords”, nordpass.com.  Accessed 11/29/22.
  2. “Human Working Memory”, https://www.sciencedirect.com/topics/computer-science/human-working-memory.  Accessed 12/1/22.
  3. “A Breach at LastPass Has Password Lessons for Us All”, New York Times, 1/5/23.