PYDA–Passwords

Yes Virginia, you do need a password. And because passwords are being cracked by high-end machines running sophisticated password cracking programs, it need to be both long and complex, and ideally, unique to each site or device. How long? At least ten, to maybe as many as fifteen characters is ideal. A six or seven character password can be cracked in hours or days; a password of ten or more characters requires decades or centuries. A strong password cannot be a word that can be found in any dictionary, and uses a mixture of capital and lowercase letters, numbers, and symbols. A simple but memorable way to create unique passwords is to start with a ten character base password that is contained in every password you create, and begin or end the password with something that is easy to remember about the particular site or device. Or you could use a password program such as Keepass.

Many web services are beginning to offer two-factor authentication. If it is available, you should use it. This generally defeats remote attackers. For example, when making certain changes to my Google account, they will send a text message to my cell phone that I need to enter into the web site to confirm my identity and complete the change. As another example, my bank has me enter my user ID on one page, my password on a second page, then answer my secret question on a third, and lastly, shows me an image that I selected when setting up my authentication. The first three steps prove to them that I am legitimate. The last step, the picture, proves to me that they are legitimate. No fake look-alike site is going to know what picture I chose. When you have these sorts of options, I encourage you to take them.

Never give your password out to anyone, even if you called them, and you are pretty sure they are legitimate. With all the call centers in foreign countries, you just never know where that information is going to end up at the end of the day, not that you can trust domestic call center personnel with this information, either.

Using the same password everywhere is a very tempting practice, I’ve known many people who do this.  The problem with using a single password for all those web sites is that if they compromise one account, like an email account, before you know it they are running up charges on your Amazon account, or in your Facebook account, or even your bank account.  The message – do not use one password for all your sites.

Good passwords the best safeguard we have to keep strangers out of our online lives.  Make sure yours is long and complex.  A fun place to test out your password is Passfault.  Test your current password, and then create a new one that will really protect you.

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.