Tom Van ‘t Veld
The sense and nonsense of passwords
The most common password in the world (and also in Belgium)? Still leading this year…: 123456. And an honorable second place for “qwerty”. It continues to amaze me how many people are still unaware of why a good password is important. “Oh well, my bank accounts are protected by more than those silly passwords, so really there is no issue” is what many people think.
But there is…
You are more identifiable than you think.
The issue is that you carry and move around a lot more important information than you realize. Have you ever e-mailed yourself a copy of your identity card? Or a scan of a contract, with your signature on it? Once a somewhat savvy hacker gets to these things, he or she can basically get access to everything. You’d be surprised how little information is actually needed to start a mobile phone contract or even open a bank account in your name, without you being aware about it.
Make it lengthy, not logical
Now, a lot has been written about good passwords. At Xylos we talk about the subject ourselves in the courses and trainings we offer. Basically, a decent rule of thumb, when creating a new online account of some sort, remains this:
- At least 8 characters
- At least 1 capital letter, 1 number and 1 character
However, these rules can still be cracked rather easily. Michael McIntyre describes it brilliantly in his comedy skit about passwords (for now, stick with me here, I’ll share the link later ????). If there is one rule I’d suggest you really remember, it is to make your password lonnnggggggg. It’s also best not to use too much logic, because logic is basically what hackers are craving for. It’s what makes you analyzable.
So, no kiss (“keep it short and simple”). Make it a long password. That’s very easy to make, isn’t it?
There you have it: a great password.
You are welcome. The last sentence in the previous paragraph gets you a nice, long and random password: “That’s very easy to make, isn’t it?” contains 29 characters (spaces not included), one capital letter and two characters. A simple test online tells me that cracking this password would take ages.
Another option, that could be pretty memorable for one given person, yet practically impossible to crack for a cybercriminal: Ittrl?Itjf?CialNefr. It actually constitutes the first letter of the first verse of Bohemian Rhapsody by Queen. Maybe, there’s a song – or even better, a specific verse in a song – that you like?
Don’t forget to mix it up.
Another important tip is to vary your passwords as much as possible. You should do so per online account. At the very least, differentiate between your work and personal account’s passwords. An easy way is to take your default password and add a reference to the site at the end.
For example: MyWord@Ntflx or MyWord=Sptfy. Also, don’t try to use the words themselves exactly, as that would be too simple again.
About “Memorizing” your passwords… and MFA:
I know, it’s not easy. Just so you know, there are applications that can remember them for you. Often, blogs refer to password managers like Lastpass, but know that many web browsers like Chrome or Edge have this built in as well these days.
Personally, I use Edge because it is linked to my Microsoft 365 account and it is built into most of the applications I use anyway. And the advantage of that is that my Microsoft 365 account is additionally secured with something that is much more important than a strong password, namely Multi Factor Authentication.
MFA is a way to make your accounts extra secure because you have to confirm on a second device (usually your smartphone) that it is indeed you. You can set this up for most major sites, such as Office 365, Google and Facebook.
So if a hacker somehow found out what my password is and tried to log on to my profile, I would be notified. As long as I don’t confirm on my second device, they can’t log in. When you see this happen on a regular basis (you usually also get an email of the login attempt), then you know that your password is cracked and it is time to start refreshing all your account passwords.
In the past, it was often said that you should change your password every three months. The problem is that that change is often so small (for example, adding a digit at the end and increasing it by one) that hackers can guess it without any effort. Understandable: nobody is in a creative mood, all the time. So if it’s too much trouble, at least apply the MFA method, it’s going to protect you much better in the end than all those (un)sensible passwords.