Passwords, Passphrases, and Password Managers

CyberHoot Logo

[Editors Note: I was approached by the author of a Password Checking Tool which improves the results by not only reporting on how long your password will take to crack, but also checking the hash of it to see if it’s been reported in the dark web as exposed somewhere.  This is a valuable tool and I hope you’ll give the author some positive feedback.  Check your Password Strength and Exposure Here ]

Welcome to Cyber “Hoot” Wednesday. On Wed. Cyber Al will be publishing a series of cybersecurity articles outlining the most important concepts you need to understand and skills you need to learn to protect yourself personally and professionally. Grab a cup of coffee, sit back, relax, and read on! We’re glad you’re here.

How secure are your Passwords?

According to the 2018 Verizon Data Breach Incident Report (aka: DBIR), nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more. Unsurprisingly, about 40 percent of those surveyed say they had “a security incident” in the past year, meaning they had an account hacked, password stolen, or were given notice that their personal information had been compromised”.

It’s no secret that passwords are a pain. Using them safely and effectively is even harder. Read on to learn about the best practices you may not know you didn’t know.

Have my Passwords been Breached?

Unless you’ve invested the time to learn a password manager, then you’re probably like most people and are re-using passwords everywhere you go online. More than 8 Billion passwords have been publicly reported breached. And that’s just the tip of the iceberg as many more passwords and credentials have been breached but not publicly reported! As a result you may be surprised to learn that your favorite passwords are likely to have already been breached! You can check here to find out where, when, and what was breached:

July 2019: 8+ Billion breached passwords publicly disclosed.

Are you using a Password Manager?

Password Managers are purpose built applications that are installed on your phone and inside your browser as a “plugin” and they encrypt your critical passwords, passphrases and other data such as credit cards and even drivers licenses for easy but secure reference. When it comes time to log into a website, they will fill your username and password into that website if they find a match in your database of stored accounts based upon the domain name or website name you are visiting. I find them to be the single best productivity solution I’ve learned in the last 20 years. However, Password Managers must be protected with a 16-20 character passphrase that you carefully create and practice so that you never, ever, EVER, forget it! Don’t write your Password Manager Passphrase down. Learn it and practice typing it 10 times before you commit to using it. If you lose or forget your Master Passphrase, your data will be lost!

Pro TIP: Password Managers can sometimes save you from being compromised by a phishing attack. They simply won’t provide your credentials to log into a bogus website. Let’s say your being phished and you click a link to log into GMAIL, but the website you actually visit is (the i is a 1). If you’re using a password manager, it will remain mute and not give up your password because it cannot be fooled by the incorrect domain name. If you are a professional Password Manager user, you won’t even know your password to the site to type it in manually, because pro users leverage the Random Password generator for each of their logins providing even more protection. Cool right?!

Password Security

Even with Password Managers, passwords just aren’t going away any time soon. Consequently, you need to know how to create a strong password (or better yet a strong passphrase)to protect yourself. The remainder of this article will show you easy ways to create super-strong passphrases and why learning how to use a Password Manager is the best way to protect your critical information, accounts, and identity!

How to create a super-strong passphrases

1. Think of a multi-word phrase: you can use your favorite song lyrics, poem, book phrase, or your imagination to create idea statements (passphrases) that will be memorable to you but hard to guess by hackers.

Here are some examples to get you thinking:

  • People like 2 phish!
  • Ham windows smell.
  • Tiger fins R not real.

The above are considered super-strong passphrases. They are much harder for hackers to breach than even a randomly generated “9-character” password like this: x&3h10_!E.  This is due to the enormous gains in entropy that come with the length of each phrase.  The longer the passphrase, the stronger and more difficult it is to hack. With today’s computer hardware advances, a sub-$2000 machine can crack your randomly generated 9-character password in less than 5 days via brute force attack. Here’s a free password strength meter to see what I mean and to test your own passwords with.

Password TIPS:

1. Make sure you use 15-20 (or more) characters in your passphrase.

2. Use a Passphrase to unlock your Password Manager.

3. Let your Password Manager generate, fill and store randomly generated passwords for the rest of your online accounts.

4. Don’t write passwords down or store them in a spreadsheet or electronic document unless you encrypt it with 256 bit AES encryption.

5. Use unique passphrases to unlock your computer desktop or laptop.

6. Convince your IT Director to migrate to 14+ character non-complex, non-expiring passphrases at your workplace and stop changing them every 90 days.  Adopt these NEW NIST password standards. You’ll be happy you did; especially if you also learned how to use a Password Manager.

7. Many Password Managers are free for personal use. Learning to use a password manager is like learning to type. Difficult at first, but once you get the basics down you’re way more productive and in this case, much better more protected personally and professionally.

8. For really critical accounts (Banking, Email, remote access to your company on a Virtual Private Network) you must enable two-factor authentication. Most often this is a text message to your cell phone that you pair with your username and password creating two things that you must provide to authenticate. Thus it is called two-factor authentication. Two-factor (aka Multi-Factor) authentication will be the subject of next weeks CyberHoot Wed. article so come back next Wed. for another installment of Cyber Al’s Wed. Cyber Hoots!

Please take a moment to like us on Facebook and Follow us on our Linked In page. It will ensure we’re here supporting Small to Medium-sized businesses for the long run. Thanks!

Craig, Co-Founder – CyberHoot

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.

Leave a Reply

Your email address will not be published. Required fields are marked *