WHAT INSPIRES YOU, INSPIRES US.
Insights : Article

Passwords - How to Stay Secure without Losing Your Sanity

By   Calvin Weeks

May 22, 2017

Another password to remember. Don’t forget to change it every 10 days—OK, every 30 days. No? Maybe 60, 90 or 120 days. How about never? Why do I need a username and password for everything I use? On top of that, I have to change it often and it must be complex. And no passwords can be the same, and you can’t use the same password twice.

It’s no wonder users write down passwords. But that's not safe.

I’ve been a cyber security professional for 30 years. Like you, I have multiple accounts for work and my personal life. And, like you, I find it challenging to manage my passwords. Password requirements have become increasingly complex, and still they don’t seem any less vulnerable to hackers. Not only has password criteria changed, but the technology behind passwords has evolved as well.

So, how do professionals like me manage accounts and passwords, and meet the security requirements to protect our electronic identities? To answer that question, first understand that there’s no username and password that will ever be 100-percent secure. There are many ways that passwords get stolen, and we can’t do anything to stop it. Sure, meeting the most complex formulas for creating a secure password helps, but that’s still not enough. By the time a hacker steals your password and sells it or uses it, several weeks, months, or years have passed. This is why it’s vital to change your password often and refrain from using the same password twice.

Rainbow Tables
Ever since the creation of rainbow tables, no password has been secure. A rainbow table is a database that has every iteration of a given set of character criteria. Hackers create a database of every possible combination of characters with numbers, letters and special characters for a specified length. This means that no matter your password, hackers can perform a "rainbowcrack” using the right rainbow table and break your password in a few minutes. The only protection you have from this attack is changing your password often.

A common goal for a hacker is to sell your stolen password to someone who will then use it to steal directly from you. If you change your password in the meantime or in the middle of their transaction, you can protect yourself from this potential threat. It often takes just minutes for the hacker to steal your password, but it takes months sell your password since they’re stealing and selling passwords in large quantities of account data. The more often you change your password to a unique combination, the safer you’ll be.

Password Strategy
What’s a smart password strategy? Follow the tips below to create a strong password that’s less likely to be hacked.

  • Start with a base password. It should be at least eight characters and includes all of the following: upper and lowercase letters, numbers and special characters.

    An example following these rules should look similar to this: P@$$w0rd.
  • Never use a real word. Instead, choose a phrase that’s related in some way to the system of the account you’re going to use. For example, for your online bank account for My World Bank, you could make up a phrase like: My online bank account for My World Bank is very secure, and I do not share my password.

    Converted to a password by using the first letters of each word, you’d have this password: M0b@fMWB1v$@!dnsmp. Now that’s a strong password.
  • Add some SALT. SALT is a technical term that refers to a random string of data to modify a password to help make it more secure. This is usually added automatically if the systems are setup to deploy a SALT. How do you know if a system is setup to use SALT? You don’t. So, you can manually add the concept of what SALT does to help you remember your very strong password when you have to change it the next time.

    Using our My World Bank account example, we can add a date of January 25 for your password change as a SALT. It would look something like this: M0b@fMWB1v$@!dnsmp012501.

The next time you change your password on March 24, it would look like this: M0b@fMWB1v$@!dnsmp032402. The “02” added at the end indicates to you this password is being used for the second time you changed your password. This is so each time you change your password, you will use four digits for month and day and two digits for each time you change your password.

This strategy helps ensure a very strong password that will be unique to a specific account and any changes will only be made to the last six digits. Using this same concept with every account or system that you access will help you keep track of very strong passwords that are unique and capable of being changed often and without having to struggle to remember what they are.

Password Sharing
It’s never a good idea to share your password, but some systems only allow you to have one account that must be shared by several users or families. Support personnel should never ask for your password. However, if they do, change your password and give them that password, and then change your password back to the stronger version after they have resolved the issue. The more people who have your password, the more insecure is that account.

The decision to share or not to share your password will also depend on what can be done or accessed with that account. Can you see personal info like credit cards? Can the account be deleted or altered? Will it allow purchases and transactions that have a dollar value? Be cautious about who you share your passwords with and make sure that the strategy from one account will not allow others to easily guess your other account passwords. You can make the phrase longer than you normally would and change it more often to get the most protection from having to share passwords.

Multi-Factor Authentication
Multi-factor, or two-factor authentication, is using more than one method to gain access to accounts. Not all systems have the capability of multi-factor authentication. But if this authentication is available to you, you should take advantage of all of its capabilities. The concept of two-factor methods used to gain access is not new.

Safe deposit boxes at banking institutes use multi-factor authentication to gain access. You must first use some form of identification to verify you are who you say you are. After that, the box requires two different keys. One key is your key to your deposit box, and the other is a master key used by a bank official. This example of two-factor authentication is the two keys as one method, with required identification as the other factor.

There are three factors of authentication:

  1. Something you know, like a username, password, passcode, personal secret questions, etc.
  2. Something you have, like a physical key, token, smart card, USB key, etc.
  3. Something you are, like your fingerprint, iris or retina of the eye, voice recognition, facial recognition, palm print, etc.

Using any two different methods of authentication is the correct use of multi-factor authentication. By enabling and using multi-factor authentication, even if your username and password are stolen, it cannot be used without the other factor to complete the authentication. This makes the password useless to hackers.

Password Managers
Wouldn’t it be nice to have a solution to manage, share and secure all of your passwords using just one single password? Let’s look at what security professionals have been doing since the early 2000s to manage all of their secure accounts.

There are several password management applications that have been used and vetted by the security community, and they’re proven to be the best way to manage and secure passwords and more. Here are a few that top the list—I’ve personally used these, and they all work very well.

Password Safe and KeePass
There are two free applications that can be run on your PC, have mobile versions, are totally free, and come with optional plugins that keep the database synchronized between all of your devices. These two applications, if used properly, can be the most secure option since they do not rely on a third-party cloud service provider to keep and store your passwords.

These applications are secure and contain very robust features used to securely store your passwords and assist you in automatic authentication to login to some of your favorite websites and applications. They have a large community following that keeps the applications updated and secure, and they continue to enhance add-ons to help you with various features.

RoboForm, Dashlane and LastPass
The following applications are either free or require a small annual fee and will securely store your passwords online. They’re easy to access and backup your passwords across every device you use it on.

  • RoboForm (www.roboform.com) in either a free or paid version for $19.95 per year
    Features: remembering passwords, password changes, one-click logins, password generator, password auditing, import/export, fill web forms, encrypted text notes, works on Windows, Mac, iOS, and Android, sync passwords, password sharing, and 24/7 support.
  • Dashlane (www.dashlance.com) with a free or paid version for $39.99 per year
    Features: password manager, autofill, digital wallet, works on all platforms, emergency sharing, secure sharing, security breach alerts, password changer, sync across all devices, secure backup, two-factor authentication and web access.
  • The most popular is LastPass (www.lastpass.com) which includes a very robust free version or excellent and easy to use premium version for $12.00 per year
    The free version has the following features: access on all devices, save and fill passwords, password generator, secure notes, share passwords and notes, security challenge, two-factor authentication, digital record keeping, and unlimited password storage.

The premium version includes: all of the free features, plus up to five users, key authentication, application support, fingerprint identification, and 1GB of encrypted file storage.

Conclusion
Passwords have always been and will always be a security risk. And it’s only a matter of time before password rules become even more complex. The technology exists today to allow for new passwords every 30 seconds from freely available two-factor authentication applications from Google and Microsoft. However, not all applications can take advantage of this advanced technology yet. Password management tools can help secure your accounts and passwords with a simple and easy-to-use application that can automate the management of your passwords and account information using one very strong password.

Businesses need to take notice of these tools and encourage their users to better manage their passwords by leveraging the available applications and two-factor authentications to secure account access. If company leadership deploys password management software and trains staff to securely manage work-related and personal accounts, there are many benefits. It can completely eliminate users writing down passwords, putting them in an unsecure document, choosing weak passwords, and avoiding changing passwords. Encourage your employees, family and yourself to download and start securing your personal identity and passwords today.