Expert Gives Example Of A Secure Password That Employees Can Remember
By Neil Farquharson
I love to study the follies of the human condition: how intelligent people sometimes do the silliest of things. For example, the police who searched the home of Adam Magee for a robber and, when finding no-one, declared the house clear and then left – the robber was hiding under the bed.
Then there is poor Gregorio Iniguez, once the general manager of the Chilean mint. The agency that presses Chilean coins minted 1.5 million 50-peso coins with Chile spelled “CHIIE.” The blunder cost Señor Iniguez his job, and the coins remain in circulation to this day.
What’s more, there are the improbably obvious passwords that people use to “protect” their on-line accounts. It is still a few days yet before the 2016 list of worst passwords is published, so I thought I’d review SplashData’s 2015 list from last February. Still at Number One from the previous year, we had the world’s favorite password: 123456. While at number three came 12345678, closely followed by 12345, 123456789, 1234 and 1234567 – can you see a pattern emerging here?
More interesting entries, still in the top 25 worst passwords of 2015, were password, qwerty, login and another old favorite, baseball. And I was particularly pleased to see a new entry – starwars –, being a big fan myself.
It is all well and good agreeing on the importance of security, but people need access to their accounts, their information, their data NOW! For most employees in the workplace, being productive means there is no time left for complex, non-value-adding tasks. Tasks such as keeping a list of difficult to crack passwords, which is why people need something that is both memorable AND difficult for outsiders to crack.
In general, users are getting better at creating passwords. Brute force attacks used to go through the dictionary – aardvark, abacus, abandon and so on – and people’s names such as Abagail, Abbi, Aby etc. We countered this by adding a special character and a number to create passwords such as Joseph$3. The trouble is that password cracking algorithms now routinely break these passwords too: they expect a word or name followed by a character, followed by a one to four digit number. Hence to protect your business, you need to rearrange your passwords. For example, bring the numbers to the beginning instead of the end, salt the password throughout with special characters; and don’t use names, place names or English words. But do pick something that is easy to remember.
For example, pick a favorite song for which you know some of the lyrics – Pharrell Williams, Taylor Swift, Andrea Bocelli, it’s up to you. Pick a memorable date too and go from there. For my example, I am picking the U.S. National Anthem, adopted in 1931. I shall put the numbers at the beginning, but substitute the character ! for the ones to give !93!.
Next, I’m going to take the first letter of the first few words: O say can you see, by the dawn’s early light.
However, you need to insert a factor unique to you – something your employees will remember, but no-one outside your business will guess. As an example, when I was very young, I’d mishear the national anthem being sung on television. I thought people were singing about a young man named José who had vision problems. Hence I thought I heard: José can you see, by the dawn’s early light.
Thus for my example, a password employees will remember is !93!Jcysbtdel.
Hackers will never guess this character sequence. However, give your employees a similar story behind a password, and they will always remember it.