Passwords. Your whole online existence relies on them, so why do so many people mess them up?
Basic authentication relies on two sets of data. A username, and a password. If you tell the system who you are, and what your secret thingy is…bam! You are let in. The problem with this is, an attacker can easily figure out possible usernames either through OSINT, or by assuming you use the standard convention of FirstNameLastName, FirstNameMiddleInitialLastName, FirstInitialMiddleInitialLastNake, or FirstInitialLastName. This leaves your lowly password as the last line of defense.
“But my password meets the minimum requirements of 8 characters or more!”
Password12 is NOT a secure password. Neither is Brandon5, or Linkedin! Just because you use a word in the dictionary and add a number or symbol at the end to meet minimum requirements does not make your password good. Hackers have their own dictionaries and software that will brute force your password in no time.
“Fine! I’ll 1337 the password up some! P@ssw0rd12 it is!”
P@ssw0rd12 is NOT a a secure password (though at least now you are trying…slightly. Just as you were smart enough to try and “1337” up the password, the hackers will do the same thing.
“Arrrgh! What makes a good password then?”
People assume that a complex password will easily be forgotten. The key is to make the password memorable to you. How could I ever remember passwords like these?
!MfnRI3BmshTR!
$2005MRx8wMfc!
!IliaBho202NL$
These passwords are simply the first letters of each word of phrases that have personal meaning to me, converted to upper and lower case, and numbers and symbols added in.
My Favorite Nursery Rhyme Is 3 Blind Mice See How They Run
2005 Mazda RX8 Was My First Car
I Live In A Black House On 202 Niles Lane
Another alternative, is to use a password manager that will generate STRONG randomized passwords for you, and save them in an encrypted fashion either on your device, or in the cloud.
“Yay! My strong password is now Iaa1337HsAYcgm! and I will use this on all of my accounts!”
No no no. Now you are putting all of your eggs in one basket! Great…you have a secure password. What happens if one of the websites that you used this password for has been compromised? Well, if the website did not store the password in an encrypted manner…now your password is known! That same password (and most likely User name/email address) you used on every other website is now compromised!
“Ok fine! I have unique, complex passwords, for all websites! I am invincible!…oh look a Nigerian prince wants me to login to a Google page so I can become rich!”
There is no Nigerian prince, there is no unpaid invoice, there is no Russian bride wanting to marry you, and there is no soup for you! Someday I will write an article on phishing, but we are still talking about passwords! Wherever possible, enable 2-Factor authentication for your accounts. 2-Factor authentication is a security method that relies on something you know (User name and Password), and something you have (Phone call to your cell, SMS to your cell, or a randomized key generated on a fob or app on your phone). 2-Factor ensures that when you end up falling for my phishing email (which you will), that unless I also have your phone (or have otherwise compromised your phone), I will be unable to login to the account.