Cybersecurity Awareness

A Few Words About Passwords

The first line of defense against cybercriminals is your passwords. Put simply, these
are what you enter to access any device, software, or site that’s also available to
others.

The problem is, passwords are one of the areas where end-users spend the least
amount of effort. They consider passwords an inconvenience. This impatience
results in weak passwords that let anyone into their system.

For example, Splashdata maintains a Worst Passwords list. At the top of the list are
items such as numbers in a sequence … like 1-2-3-4-5-6… and easily guessed strings
such as: password, qwerty, football, baseball, welcome, abc123, 111111, login,
letmein, and similar stuff. It doesn’t take a genius hacker to figure these out.

So what should you do to maintain effective, strong passwords: ones that are
harder to guess, and more difficult to crack?

First … Keep your password secure. An amazing number of passwords are listed on
sticky notes attached to the bottom of the monitor. Or stuck underneath the mouse
pad. Or kept in an unprotected file on the PC desktop.

If you write your passwords down, keep the sheet in a securely locked place. If you
keep passwords in a word or spreadsheet file, at least password-protect the file.
That won’t stop hackers, but at least it will frustrate the casual snooper.

Don’t share your passwords with anyone. It may not seem like a big deal to let a
coworker or a family member know your password. But every other person and
device that uses your password, is just one more entry point for a black hat to get
to you.

Make sure no one watches you enter your password. All it takes is someone looking
over your shoulder in a public place, and you’re compromised.

Avoid entering passwords on devices you don’t own or control, like at a hotel or a
library. Black hats can install key-logging software that records everything you type,
without you knowing it. Those characters can then be retrieved later and then used.

© 2021 Business Training Library

All Rights Reserved.
 Cybersecurity Awareness

Don’t use the same password for multiple sites. A study by Lawless Research found
that more than 71% of accounts are protected this way. Don’t even use variations
for different sites. If someone gets your master password, then they have access to
everything, from social sites, to sensitive personal information, to financial
institutions, to retail sites.

Don’t use single regular words, regardless of the language. Normal words are easy
for black hats to figure out using an electronic dictionary. All they have to do is cycle
through the possibilities, all at computer speeds, until something works.

Don’t include any personal information. You don’t want your password to have
anything like: a part of your name, your social security number, your birthday, a
family member name, or a street address number. There are only so many ways to
combine these, and most of that information can be obtained from public sources.

Don’t use common words or names. It may seem fun to use some pop culture
reference, or to combine the names of the heroes of the latest Marvel movie, but
black hats watch the same things you do, and can include them in their guesses.

Avoid patterns of letters or numbers. Don’t list characters repetitively. Don’t use
common sequences, such as the numbers in order, or the top row letters of the
keyboard. Also, you can’t rely on common words spelled backwards. If there’s any
pattern to what you do, a black hat will find it, because you’re just one of thousands
who’re doing it.

If the system allows it, include special characters in your password. These are the
shift-top-row characters such as dollar sign, pound sign, or ampersand.

Also, use them where they’re not expected. Dollar-sign is often used for “S,” at-sign
is used for “A,” a three is used for an “E,” or a zero is used for an “O” … and hackers
know it. Instead, insert special characters or numbers at odd points in the
password.

Make your password as random as possible. Don’t use a common phrase, or a

grammatically correct sequence of words. Use a totally random character
sequence. Or if that’s too hard to memorize, use some sort of trick, such as using
the first letter of the words from a line of poetry, a song lyric, or a phrase.

© 2021 Business Training Library

All Rights Reserved.
 Cybersecurity Awareness

If remembering the password is a problem, then combine random words. To make

things more difficult for hackers, throw in random characters or numbers in
unexpected places.

Use a weird form of capitalization. Capitalize the second letter of every word. Or
simply capitalize randomly. When it comes to passwords, the shift-key is your
friend.

Make your passwords longer. Many times black hats use a brute force, trial-and-
error method, where they simply cycle through all the possibilities. Therefore, the
longer the password, the longer it takes to hack. For example, the password book-
bunny-table-sock-hiccup—words with no correlation to each other—is a strong
password, especially if you include some numbers and characters. Longer is better.

That said, black hat software can cycle through possible passwords amazingly fast.
Since data containing passwords gets hacked all the time, some organizations
might require users to change your passwords regularly … even so often as every
three to six months.

But there’s a trade-off. According to the National Institute of Standards and

Technology, this constant changing of passwords methodology is going away.
You’re better off using a strong password for a longer period, rather than using a
series of weak passwords because you’re being asked to change them so
frequently. You’re not doing yourself any good if you merely increment your
password with a character or two each time you update it. EVERY password has to
be strong, and it’s common practice to change them if there’s evidence of a
compromise.

Choose your security questions carefully. Many sites allow you to recover or reset a
password that you’ve forgotten, by answering some personal questions that
apparently only you know. Make sure that’s actually the case. Things like a school
you attend, a pet’s name, the car you drive, or your mother’s maiden name could
possibly be obtained from public information or from social sites.

© 2021 Business Training Library

All Rights Reserved.
 Cybersecurity Awareness

Consider using a password manager. There are a number of third-party software

options that consolidate your password control into a single application. And some
browsers also have password managers built-in. Even if these aren’t totally secure
themselves, they can help you create passwords that are MUCH harder to hack.

And finally … If, after watching this program, you realize that your passwords are
weak … THEN DO SOMETHING ABOUT IT!

Don’t just sit there and think, “Huh. I do a lot of those things. One of these days I’ve
got to sit down and go through all my sites and upgrade my passwords.”

If you do that, you'll never find the time. And you don’t really care, until you’ve had
your identity stolen, your bank account emptied, your data held for ransom, or your
company hacked because of you. Then the whole password issue becomes vitally
important.

With all this said, please understand that a strong password isn’t a rock-solid
solution to cybercrime. It’s a deterrent, and an essential first line of defense. Now
go change those passwords!

© 2021 Business Training Library

All Rights Reserved.