The hackerproof password? Tips and advice on password management

Kennet Westby, President and COO

Having some security expert tell you that you should be creating strong passwords that are unique per account and change frequently is like your dentist telling you that you should floss morning, night and after consuming any dentally dangerous foods. The majority of us say, “yeah right”. The truth is that you really must do better than what the average person is doing today. In our penetration testing and forensics practices we constantly discover usually very intelligent people using the same weak password or PIN across every account without ever changing them.

We are now seeing scenarios where a single service provider is hacked and passwords are captured or exposed and then this information is used by hackers to compromise almost every account of some users. The bottom line is that consumers must create strong passwords that can’t be cracked through guessing or brute force and they should never use the same password for multiple accounts.

For those that want to break their bad habits and keep their voicemail, banking, Twitter, Facebook, email and shopping experiences private and secure I have provided the following tips.

Creating Hacker Proof Password Techniques:

Use base themes to create your passwords or passphrases as it makes them easier to create and remember. Come up with a new theme every quarter. For example I would take March Madness as a current theme for the quarter base password using my final 4 bracket picks for the national championship 1. University of Kentucky 2. Ohio State to create a base password of 1UK2OhioST. From this base password you can create derivatives for each site specific use.

For your online banking account at Bank of America I would use 1UK2OhioSTBoA or for Facebook I would use 1UK2OhioSTFB. This approach gives you fresh passwords to use every quarter that you have a chance of remembering. There is a risk of password guessing if a base password or account derivative is compromised but the risk is low and much more secure than most people just reusing passwords across accounts.

For a slightly more secure derivative I recommend using first and last initial of a your favorite film or sports star name and the year they were born.  An example would be NBA star Kevin Durant from the Oklahoma City Thunder. The password would be 1UK2OhioSTKD1988.

This looks like a complex and hard password to remember but using this technique, it is rather easy and I just have to remember one base password derived from a theme and an individual that is associated to an account that does not have to change. Using a public figure means you can always reference it on Wikipedia if you ever forget. You can even create cheat notes without exposing any of the secrets. For example Facebook = March Madness Oklahoma City.

When you are trying to manage multiple PIN numbers that are usually 4 digits for your bank card, voicemail, phone security lock, etc. I like to associate things to each account. My bank card I might use the last 4 digits from my the mileage on my oil change sticker in my car. Every time I get an oil change every 3K miles or so I also change my PIN. On my phone I change my unlock PIN using a random co-workers phone extension every 2-3 months. These techniques allow me to use different PINs for each account and device but still have a friendly reference point to recall the PIN without having to reset the account.

Individuals with ultra-secure accounts, high profiles or a very large number of accounts I recommend using secure random password generators and password vault applications. This will give you passwords that are unique per account, very strong and encrypted secure storage to keep them safe, as you will likely not remember them and need a secure and easy way to reference them.

Kennet Westby


Kennet Westby — President and COO

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS