The Coalfire Blog
The hackerproof password? Tips and advice on password management
May 02, 2012, Kennet Westby, President and COO
Having some security expert tell you that you should be creating strong passwords that are unique per account and change frequently is like your dentist telling you that you should floss morning, night and after consuming any dentally dangerous foods. The majority of us say, “yeah right”. The truth is that you really must do better than what the average person is doing today. In our penetration testing and forensics practices we constantly discover usually very intelligent people using the same weak password or PIN across every account without ever changing them.
We are now seeing scenarios where a single service provider is hacked and passwords are captured or exposed and then this information is used by hackers to compromise almost every account of some users. The bottom line is that consumers must create strong passwords that can’t be cracked through guessing or brute force and they should never use the same password for multiple accounts.
For those that want to break their bad habits and keep their voicemail, banking, Twitter, Facebook, email and shopping experiences private and secure I have provided the following tips.
Creating Hacker Proof Password Techniques:
Use base themes to create your passwords or passphrases as it makes them easier to create and remember. Come up with a new theme every quarter. For example I would take March Madness as a current theme for the quarter base password using my final 4 bracket picks for the national championship 1. University of Kentucky 2. Ohio State to create a base password of 1UK2OhioST. From this base password you can create derivatives for each site specific use.
For your online banking account at Bank of America I would use 1UK2OhioSTBoA or for Facebook I would use 1UK2OhioSTFB. This approach gives you fresh passwords to use every quarter that you have a chance of remembering. There is a risk of password guessing if a base password or account derivative is compromised but the risk is low and much more secure than most people just reusing passwords across accounts.
For a slightly more secure derivative I recommend using first and last initial of a your favorite film or sports star name and the year they were born. An example would be NBA star Kevin Durant from the Oklahoma City Thunder. The password would be 1UK2OhioSTKD1988.
This looks like a complex and hard password to remember but using this technique, it is rather easy and I just have to remember one base password derived from a theme and an individual that is associated to an account that does not have to change. Using a public figure means you can always reference it on Wikipedia if you ever forget. You can even create cheat notes without exposing any of the secrets. For example Facebook = March Madness Oklahoma City.
<< Go Back
When you are trying to manage multiple PIN numbers that are usually 4 digits for your bank card, voicemail, phone security lock, etc. I like to associate things to each account. My bank card I might use the last 4 digits from my the mileage on my oil change sticker in my car. Every time I get an oil change every 3K miles or so I also change my PIN. On my phone I change my unlock PIN using a random co-workers phone extension every 2-3 months. These techniques allow me to use different PINs for each account and device but still have a friendly reference point to recall the PIN without having to reset the account.
Individuals with ultra-secure accounts, high profiles or a very large number of accounts I recommend using secure random password generators and password vault applications. This will give you passwords that are unique per account, very strong and encrypted secure storage to keep them safe, as you will likely not remember them and need a secure and easy way to reference them.
Blog post currently doesn't have any comments.