Loose Lips Sink Ships - Creating Strong Passwords and Where to Keep Them

As the Chief Compliance Officer here at Narwhal, I consistently remind coworkers to maintain strong passwords and stop replying to emails from Nigerian princes. Most of our blog posts revolve around personal finance, which is necessary. In the age of technology, however, it's just as essential to keep our clients and readers knowledgeable on cybersecurity. For the next few months, I'll post a monthly blog on cybersecurity topics. For December, we will be covering passwords and password managers.

There is no reason to have a weak password. Your dog's name isn't going to cut it anymore. With a process known as brute force hacking, anyone can access an account. This program uses a trial-and-error method to decode your login information. Companies regularly have their customer's data stolen which typically consists of your password to their site. A brute force hacking program can extract your password even if it's encrypted.

The above charts show the time required to brute force hack a password. The top chart is Hive’s 2020 chart, and the chart below is 2022. According to these charts, the perfect password must be greater than 18 characters, a mix of lower-case and upper-case letters, numbers, and special symbols. This password needs to be complex and unique for each site. Notice how there is less green on the 2022 chart. As computing power increases, the amount of time required to hack a password has declined in the past two years. Therefore, it’s necessary to go ahead and create long passwords.

Though this password may look secure, it’s not! The problem is that it’s too short, and the numbers for letters do not fool the computer.

The 32-character password below is strong and can stand the test of time. Unless you are a cyborg, you won’t be able to memorize it. If you must remember your password, I’ll cover another option below. You probably think I’m insane for suggesting you use such a password. But if you are using a password manager, this is highly feasible.

A password manager is a program that stores all your usernames and passwords in one place. They have an extension for your browser and will autofill your username and password when you visit a stored site. Therefore, you do not have to remember hundreds of passwords or reuse the same measly one across multiple sites. Each site can have a unique and complex password, minimizing the risk of a hack. Some will even do you the favor of creating a complex password. These managers typically have an app so that you can use these passwords on your phone. Now you only need to memorize one password to access your password manager. This password should be something secure yet easy to remember. The common suggestion is to use a passphrase.

A passphrase is a combination of random words you can remember. For example, I created this passphrase by looking at the items around me. I have a venison bar, a wooden desk, Sharpies, and a Nalgene water bottle. My passphrase is “venison wood sharpie nalgene”. Despite this phrase being all lowercase letters, it’s still secure because of its length. If you want to ensure your passphrase is genuinely random, you can use the Diceware method.

While the passphrase may appear simple, it can be just as strong as a complex password. A long enough passphrase meets the character requirements for a secure password. Passphrases are the best route if you have multiple passwords you must memorize. Unlike the complex password, you can remember the passphrase. I find this easy to memorize, but you can create a story to help you remember your passphrase if it's too complicated. The comic below is a great example.

There are many password managers available. Dashlane, Keeper, LastPass, 1Password, and Bitwarden are a few that came up initially on Google. You can opt for a free version that might limit access to two devices or a paid version that offers more features like dark web monitoring. I’m sure if you listen to enough Joe Rogan episodes, you can get a coupon code for a subscription. Whether you use a password manager or keep everything in your head, please update your simple and frequently used passwords. In the next blog, I’ll cover multi-factor authentication. If you have any questions, feel free to reach out.

Sources:

https://www.hivesystems.io/

https://www.thenewoil.org/passwords.html

https://www.passwordmonster.com/

https://xkcd.com/936/

https://www.zdnet.com/article/fbi-recommends-passphrases-over-password-complexity/