Similar to most families in the Northern Hemisphere, besides being Cybersecurity Awareness Month, October is also a time of year where scary movies and pumpkin patches take centerstage. For us, we recently took our kids to pick pumpkins still on the vine, suffer through a very bumpy hayride and line up against the eight foot ruler to see “How Tall this Fall” our kids were. All of these activities were free (besides paying for the pumpkins themselves).
But being the fun mom that I try to be, I wanted my kids to have the full experience of riding the barrel train, rolling each other down the hill in barrels, racing each other on way-too small-for-them pedal tractors and getting lost in a corn maze. In order to do these activities, though, we had to buy a wristband.
Purpose of the wristband
We learned the color of the day was “blue.” This meant that only those with blue wristbands were allowed in that section of the farm with these “extra” activities. Not red wristbands. Not purple wristbands. Not green wristbands. Only blue wristbands.
This may not seem like a big deal… there are water parks all over who require the same thing. But why do they do that?
They do it to ensure that someone who paid for a different day can’t just come back and use that same wristband without paying again. If they didn’t change out the color, a person could just reuse their wristbands or pass them off to other people.
This reminded me of people reusing passwords. Instead of colored wristbands, people who use the same passwords across all their accounts are allowing someone who may compromise one account to gain free access into all their other accounts instead of requiring a different colored wristband and stopping them at the gate.
A wristband is obviously not the strongest of access controls. But, when at a family farm, it is stronger than just giving someone a receipt and asking them to show it each time they enter a different section. One wristband is given to one person and is harder to just hand off to another family as you leave. When it comes to passwords, you also need to create a strong way of making sure that someone else isn’t able to just use your password when you leave.
What is a strong password?
A strong password is one that is easy for you to remember, but difficult for someone — or something —to guess. This means it needs to meet certain criteria that makes it hard to crack. It’s a delicate balance, though, because you don’t want to make it so difficult that you forget what it is… especially when you have multiple passwords that you use and now know not to reuse!
How to create a strong password
While I always encourage people to enable Multi-Factor Authentication when offered to ensure you aren’t putting all your faith in your password, there are times where you have no choice but to rely simply on a strong password or passphrase. Whenever selecting a password, remember these main password tips:
While complexity (using a combination of special characters, upper- and lower-case letters and numbers) can make a password stronger, they can also make it more difficult for you to remember. If you must choose between a complex password that you may forget or a long password that is easy to remember, go with a password that is at least 15 characters. Based on some industry data, a computer would take 1,000 years to crack a 15-character password with only lower-case European letters (compared to a shorter, eight-character password that has all the complexity but takes only eight hours to crack). Length is the key.
Don’t use personal information as part of your password or any details that may be easily guessed with a quick search online about you. This includes avoiding phone numbers or parts of your address. While using a single word on its own can open you up for a dictionary attack from a hacker, you can string multiple seemingly random words together if there is no common theme to them. Avoid common number sequences, such as 1234, or keyboard sequences, like asdf.
A passphrase goes beyond a password and allows you to either string words together or perhaps just select the first letters of the words in the phrase. This can result in a hard to guess password even if using common words in a dictionary. One example that is sometimes used in training — but should never be used as an actual password since others now know it — is 2 be or not 2 be, that is the ?.
If coming up with a new, strong password or passphrase seems too daunting for you, you can use a password manager with password generator abilities. Selecting the right password manager may give you the ability to have that software select your strong passwords or passphrases for you. And due to being a password manager, you don’t even need to remember them.
How to protect your strong password
To ensure that you keep your strong password or passphrase protected from others, follow these tips:
Coming up with the ultimate strong password that is easy to remember may feel like a Herculean feat at times. Once you select one that you think is iron-clad, you may want to use it for everything. Resist that urge. Don’t use the same password across your accounts or reuse passwords for the same account. If your password would become compromised in one place, that compromised password is now part of a list of passwords that hackers will use to try to guess your password on other accounts.
In our house, we change the batteries to our smoke detectors every six months. We change our toothbrushes at least every three months (sometimes more frequently!). You should change your passwords, as well. Exactly how often depends on your risk tolerance and, honestly, there is conflicting guidance from the experts about whether it is truly needed if you are using strong passwords that haven’t been compromised. For work, follow your organization’s password rules. But for personal use, consider changing them every time you switch out your toothbrush (assuming you are on the quarterly schedule like us). If you believe your password was compromised, though, change it immediately.
I trust my kids… most days. But, just because I trust them doesn’t mean that I want them with access to my online accounts to see what Christmas presents I may be ordering or have the ability to email my doctor. Passwords are intended to ensure the person signing into an account is the right person, because once in, that person has access to information, the ability to make changes and possibly make purchases. Not to mention, once someone knows your password, they can use it on any of their devices… and how do you know if they are as security aware as you? Their computer could be infected, and that means your password could be visible to more people than you think.
The convenience of staying logged into a website is obvious. But, the inconvenience of someone else impersonating you because you stayed logged in can be a bigger headache than the perceived convenience. Especially if you are using a device that others may have access to —such as a library computer, a hospital entertainment system or even the TV of a relative while you are visiting — ensure you sign out of your online accounts after you are done using them. You may not be sharing your password with them in real text, but you are still sharing the ability to use that password as if they were you (which may give them access to personal information about you that you were not intending).
Whether you are enjoying a day out with your family or doing some online banking, remember to use strong passwords and take extra steps to keep them secure. Encourage your family to have a quick cyber chat about the importance of selecting a strong password that is easy to remember, but hard to guess. Do not reuse your unique passwords, but practice consistent password security.
Remember — it is easy to stay safe online. Follow the password guidance here to help you and your family keep your accounts safe.
Read the first Cyber Chat post