Will Your Passwords Be Unbroken?

We know what you’re thinking: “Strong passwords, change your password, don’t Post-It to my computer monitor, blah-blah-blah . . . I already *know* all that!” You may be surprised to learn that “Password Wisdom” has been changing over the last several years. And this month, we want to make sure you’re in the loop! Here are suggestions and  resources to help you protect your online information and simplify managing your passwords.

Password Management
Each of us maintains many online accounts. If we have taken a safe approach, each of those accounts should have a complex, unique password. But it is simply impractical, and possibly impossible, to remember a large set of complex, unique passwords or to keep straight which password to use for which account. To simplify your task, we recommend grouping your password complexity into three levels of security: low, medium and high. Reserve the very complex, highly unique passwords for the accounts that most benefit from the highest level of security.

  • Use a highly secure password for your banking and sensitive work accounts. Maybe a long “passphrase” with numbers, caps and special characters.
  • Use a medium password for less critical, but still personal stuff (like Facebook, Linked In)
  • Use a simpler password for “junk” accounts - ones with zero access to your personal or credit card information like a Bengals fan forum or recipe site
  • Don’t reuse your passwords. Just like your toothbrush, once you replace it, don’t put it back in rotation.

Store your passwords somewhere safe.

Because you’re going to have *several* (if not many) passwords, yes, you can write them down. Just make sure to protect them like your other valuables - maybe in your wallet or a locked drawer. Or, consider an online “password manager” like LastPass, Dashlane, or 1Password (these let you remember one *super secure* password to a site that safely catalogs all your others).

HOW TO CREATE STRONG PASSWORDS AND PASSPHRASES

The more random, the better. But to keep them memorable, try these tips:

Create Acronyms
Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son's birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.

Use Substitutions
Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. For example, My son's birthday is 12 December, 2004 could become Mi$un's Brthd8iz 12124, which would make a good passphrase.

A strong password:

  • Is at least eight characters long
  • Does not contain your user name, real name, or organization name
  • Does not contain a complete word
  • Is significantly different from previous passwords

A strong passphrase:

  • Is 20 to 30 characters long
  • Is a series of words that create a phrase
  • Does not contain common phrases found in literature or music
  • Does not contain words found in the dictionary
  • Does not contain your user name, real name, or organization name
  • Is significantly different from previous passwords or passphrases

Password FAQ

Q: Why can't I use the same password for all my accounts?
A: Well, you can, but you shouldn't. If your only password is compromised, all your accounts are compromised, too. The same logic applies to re-using a password on a different account.

Why does a password have to be so complex?
A: Hackers are using very fast, very powerful password cracking algorithms that can process innumerable combinations of readily-available words, dates, addresses, names, commonly used passwords, colors, teams, characters, quotations, titles, and letter/character substitutions (such as ! for 1, or $ for S). The less your password uses common words, dates or substitutions, the harder it is to programmatically crack.

Related Links