A Short Guide To Password Security

Stephen Kennedy - Lead Web Developer

All of the online security in the world can be useless if it depends on a weak password. Statistically speaking 95% of users use an insecure or repeated password that puts them at much greater risk for breach of data.

In 2015 2 in 5 people had their information compromised

To help you from becoming another statistic in the news, we’ve put together a few tips on creating strong and unique passwords, as well as how to keep them secure.

1. Do not use any easily identifiable data.

As a general rule, if someone can find it on your social media, it does not make for a strong password. This can include birthdays, names, pets, important dates, favorite foods, bands, hobbies and so on.

2. Do not use the name of your business, group, or club

While this falls under the same category as number one. When using a shared account or non-personal account it is easy to attempt to use a shared datapoint to make it easier to recall. Unfortunately, this also makes it easier for hackers to guess and use your password against you.

3. Do not repeat passwords across services

Should the worst happen, and a password is compromised, a hacker now has access to however many services use that password. The easiest defense against this is to have several unique and rotating passwords.

4. Try to refrain from using any patterns or anything found in a dictionary

Hackers often utilize databases or datasets to guess passwords. If they can easily find your password in Meriam Webster or on a keyboard, it’s that much easier to compromise.

So if you can’t use something easy to remember, and you can’t use words, how can you make strong, unique, and memorable passwords?

The 5 most popular passwords of the last two decades are "123456", "password", "12345", "12345678", and "qwerty"

We recommend using passphrases. Passphrases are generally a sequence of words or sentence that is easy to remember for example “I Love Rocky Road Ice Cream”.. By taking that easy to remember phrase and using a mixture of abbreviation, substitution, and phonetic spellings we can transform it into any number of different passwords like “!lUvrdic3crm” or “1LuVR0ckyRdIc3cR3@M”, or if you would prefer, you can establish a set cipher with your passphrases to create even more unique passwords.

Using a simple ROT1 (rotate 1 letter forward) written cipher “myfirstpass” becomes “nzgjstuqbtt”, swap some letters for symbols and that becomes “nZgj$tuq6t7”. This allows you to remember the weaker password and the method for finding the much stronger password should you forget it. ROT1 is one of many ciphers available for use. You may find something with letter replacement or grid alignment works better for your memory and work flow.

At Armor, we have a policy of never keeping unencrypted passwords, and never keeping client passwords without their permission. As such, if you contact us, our only option is to reset your password for you, and we strongly recommend that after you have us reset a password, you log in and change it to something else. Additionally, we do not recommend sending passwords over email, SMS, or chat services. If you have to share using these methods, you should always reset your password as soon as you can.

The last piece of advice to keep in mind is that if you keep your password written down, keep it someplace secure and far away from where it is used, and never keep a password stored unencrypted on your computer.

The statistics mentioned here can be found in the following report: https://www.telesign.com/wp-content/uploads/2016/11/TeleSign-Consumer-Account-Security-Report-2016-FINAL.pdf

Monday October 16th, 2017