Password Burnout

Blog Author Tyler Baccus

Written by: Tyler Baccus, Application Support Specialist, E-Services

Published: June 29, 2015

How many of you are sick and tired of all these passwords and requirements just to get to the things you need on a daily basis? Let's take a few moments and think about all the passwords, passcodes, PINs and passphrases you use and are expected to remember:

  • Email
  • Google
  • Facebook
  • Twitter
  • Reddit
  • Windows/Mac accounts at home and work
  • Mobile phone/s ATM card
  • Online and Mobile Banking
  • Accounts for paying billers online  

I am sure there have been some left out but this is an average amount of accounts that need passwords, and the like, to verify that you are who you say you are. Twelve-plus passwords are a lot to remember and it is tempting to make a really easy password that can be used with all of your accounts and just assume the professionals on the other end are doing more for your security. What if there are not? Not surprisingly, this practice is all too common among internet users and it is not entirely their fault; the password system as a whole is a mess and could use an overhaul. Passwords have become so commonplace in where they are used that their strength and complexity need to be second nature when you create them.

Recently a list was compiled by SplashData from more than three million leaked passwords to create 2014's Worst Password List - is your password on that list? By the way, "123456" and "password" were the top two, again. Since the Target, Home Depot and Sony data breaches, has your view of security changed? Are you aware these breaches took place? Do you view passwords as an inconvenience or a useful tool customizable by you for your own protection? Ultimately, our hope is that you take your security as seriously as we do. We are doing a lot here at WSECU to make sure you are secure when you use our services - from security audits and patches to the expertise of the network security professionals we employ, we have your back. However, there are some steps you can take that ensure the passwords you create are complex and secure, yet easy for you to remember but hard for the cybercriminals to crack.

First, take into consideration these guidelines when creating a password:

  • Refrain from using ANY personal information. Search your name in Google and whatever comes up pertaining to you, don't use as part of your password. Avoid creating your password from the readily available lists of passwords published anywhere.  
  • Use a minimum password length of 12 to 14 characters if permitted.
  • Include lowercase and uppercase alphabetic characters, numbers and symbols if permitted. Generate passwords randomly where feasible- there are a ton of password generators out there, look in your app market for one that has high ratings and good feedback.
  • Avoid using the same password twice (e.g., across multiple user accounts and/or software systems).
  • Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past) and biographical information (e.g., ID numbers, ancestors' names or dates).

Next, I am going to show you the following method called pseudo-random password generation. The idea behind this method is the password itself is easy to remember and the process is simple enough that you find yourself creating incredibly strong passwords without even thinking about it. I started using this method a few years ago and have not looked back. Pick a phrase that is easy for you to remember, but that no one else will think about associating with you. For example:  

  • Phrase: "That's one small step for man, one giant leap for mankind." 
  • Phrase: "So long, and thanks for all the fish!" 
  • Phrase: "Time you enjoy wasting is not wasted time."

Use the first letter of each phrase to form an abbreviation. For example:

t - That's            

o - One            

s - Small            

s - Step            

f - For            

m - Man            

o - One            

g - Giant            

l - Leap            

f - For            

m- Mankind  

  • Abbreviated phrase: tossfmoglfm
  • Abbreviated phrase: soloanthfoal (first two letters of each word until we reach 12 characters)
  • Abbreviated phrase:tyewinwt  

For added security, which usually happens to be a requirement, change one or more of the letters into numerals and/or add punctuation to reach your new password. For example:

  • Password: t0ss5moglfm ( "o" for "One" becomes "0"; "f" for "For" becomes "5", because "five" starts with the letter "f")
  • Password: 1anthfoal! ("solo" for "So Long" becomes "1"; added "!")
  • Password: 2yewinw2? ("t" for "Time" becomes "2"; added "?") 

That's it, you are done! If you followed the steps with your own phrase, you now have a pretty secure and complex password that is easy for you to remember, but a nightmare for a password cracker. When it comes time to change your password just follow this same process, or you can keep the same phrase and change the order of the characters you choose from it (taking every second and fourth letter, for example). Now get out there and create some secure passwords - consistently!

Tyler Baccus