Another World Password Day
I have been writing this column for just over five years now and I have written five columns (one was in two parts) about creating good passwords. In my first password column in 2015 I suggested that passwords should be at least 12 characters long. I increased that number to 13 characters in 2019 and now I am suggesting that a safe password needs to be 15 characters long or longer. This month’s column is again about passwords. I chose this month because World Password Day, a day set aside on the first Thursday of May, is observed on May 6th this year. It is supposed to remind everyone to change their passwords and generally review the security of their devices and applications.
What’s a Good password?
In general, a good password uses a mix of upper and lower case characters, digits, and symbols and is 15 characters long or longer. My advice has always been to use a clear set of rules to consistently create passwords that are easy to remember, different for each website, and hard to crack. You may choose to use a password manager, but I like to be able to remember my passwords. I might create rules like:
1. Take the last three letters of the website, so Amazon would be “zon” and Facebook would be “ook”.
2. Take the first and last digits of your car’s license plate. I will use 45.
3. Take the symbol over the first digit, so above the 4 is $.
4. Take the first character of each word in a phrase you will remember, a quote, or a lyric from a song, or a stanza from a poem. We will use “we all live in a yellow submarine” which becomes “waliays”.
5. So far for Amazon we have zon45$waliays. Wait, we only have 13 characters. Now we do something new and append a short word. I will use Sun and the password becomes zon45$waliayssun.
6. Finally uppercase the first and last letters and every s so the final password for Amazon is “Zon45$waliaySSuN” and for Facebook is Ook45$waliaySSuN.
Of course, you should create your own rules. I wrote a detailed presentation about this method of creating secure passwords in the March and April 2015 columns which can be found online.
Shifty Characters
These passwords are difficult to crack but are vulnerable if the passwords are exposed in plaintext by careless site operators. If people see the plaintext passwords from multiple insecure sites, they might determine the common elements and guess at the rules. An easy way to address this is to add a shift rule. Shift each letter of the site name forward or backwards in the alphabet. So if use a shift rule for Amazon of shift by 1 zon become apo and Facebooks ook become ppl. Shifting in the other direction leads to zon becomes ynm and ook becomes nnj. You can also shift further than 1 letter in each direction and even shift each letter a different amount as well.
A New Set of Rules
In April 2019 I wrote about using dice and word lists to create hard to crack passwords for locking your password manager. I have now created a new set of rules that combine the two methods.
1. Roll a single die 10 times and right down each number that comes up giving you 10 digits from 1 to 6 in value. Let’s say the numbers are 2, 2, 5, 1, 4, 3, 5, 6, 2, 6.
2. Go to the EFF word list at https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt and look up the word found on the line with 22514. This is the word “degree”. Now lookup the word at 35626. This is laundry.
3. Repeat rules 1, 2, and 3 from the ruleset in the first example giving you zon45&
4. Use the first word degree and append a $ then zon45$ then laundry to get “degree$zon45$laundry”.
5. Now we will use a modified capitalization rule; capitalize the first and last letters and every letter that follows a $. This gives us “Degree$Zon45$LaundrY” as our new Amazon password and “degree$Ook45$laundrY”.
I have a new method for creating secure, easy to remember passwords coming in a future column.
Multifactor Authentication
While you are updating your passwords, it is also a good time to enable multi-factor authentication (MFA). MFA ask for additional proof of identification by requesting that you provide a fingerprint or enter in a number generated by an application or sent as a text message. I use an app on my phone called Authy. When I log into an MFA protect site Authy will generate a short one-time password (usually 6 digits) that I have to enter into the application to access it. I use MFA to access my T-Mobile, Steam, and Amazon accounts and most of my banking accounts. I have securely stored backup codes for my MFA sites that I can use to recover my accounts if my phone is lost.
Too Long Didn’t Read
World Password Day is on May 6th this year and is observed by updating your passwords and verifying your security settings. Secure passwords should now be 15 characters long. You should also add 2 factor or multifactor authentication if you are not already using it. Past articles related to password security can be found in my columns from March and April of 2015, January 2017, July 2018, April 2019, and January 2020. I keep repeating this topic because it is important! Until next month, stay safe online!