Much has been said about the recycling of passwords and, in spite of that, we still have 57% of users recycling passwords. This means that the password you are using in your bank account is the same password that you use for social media accounts or to order pizza. Whenever any of these organizations get hacked and all the passwords are spilled onto the black market, it is not difficult to access all of your accounts because there is a 57% chance the same password used on pizza website will take the cyber intruder to your bank account.

Why is it so difficult for people to embrace a system of secure passwords?

One thought is that the problems in the cyberspace domain do not cause a physical reaction or immediate fear like what would be experienced if a knife wielding thief approached you at the ATM. What if I were to tell you that:

  1. You can have 20+ different passwords
  2. You can keep them in apps like Notes (iPhone) or Evernote (other smartphones)
  3. You will not have to rely on systems like LastPass (which was hacked already) or any other third party to hold the key to your accessing your important information

Would you believe me? It’s true!

Here is the process:
Select a phrase that has meaning for you, but that you have not posted over social media platforms. For this example I will use United We Stand Divided We Fall. Then, select the first two characters of each word in that phrase to create a baseline: UNWESTDIWEFA.

This baseline has dictionary words in many languages but it is still not secure. Using the Leet language (an alternative alphabet), convert the vowels into numbers like this: A =4; E=3; I=1; o=0 and L=7. Then, the baseline will look like this using the upper and lower case system of your choice: UnW3StD1W3F4.

Although this new combination is a better construed password, it is still easy to crack. So, to make the life of cyber crooks more difficult, we will add any of the following markers: ! @ $ &. Insert these markers not farther than the fourth character from the beginning and from the end. It will look something like this:

This password is still short because we want to see at least 16 characters. So, you can add your favorite numbers at the end: !UnW3StD1W3F4$5326

Now, we have a password that, with today’s technology, will take about three months or so to crack. A password that cannot be cracked in at least 24 hours is useless for cyber crooks who need to turn things around quickly.

How can you make a password like this for each of your accounts?

If the password you created above, !UnW3StD1W3F4$5326, is for your email account,  change it to U!nW3StD1W3F4$5326 for use with a different social media account; and then change it again to UnW!3StD1W3F4$5326 for yet another one of your accounts.

Remember: do not pass the fourth character in the beginning.  The next combination can be &UnW3StD1W3F4$5326. And just like that, you can have many, many different passwords without having to remember much about them.

Some organizations do not allow passwords longer than eight characters. For those places, I recommend that you always start and end your password with a special marker: &UnW3St&.

How do you store these passwords in your notes and keep them safe?

Do not write the actual password, but a hint. So for this password example, I would write:

  • LinkedIn: !America$#
  • Social Media 1: ! in second America$#
  • Social Media 2: ! in fourth America$#
  • Bank: $America$#

Only you know what the reference to America means, and only you know what number combination you have chosen. Do not use your date of birth, marriage, etc. Maybe you want to use the date of your first kiss, unless you have plastered that date all over social media platforms.

Do I need to change the passwords every month or every three months?

NO!! Many cyber geeks have written about the recklessness of asking the public to change their passwords every three months. According to Mandiant/FireEye, it takes organizations in private and public sectors alike an average of 265 days to realize they have been compromised. Thus, when you have your employees change passwords every three months or whatever the routine is, two things happen:

1. If you already have intruders in your servers, you let them see the new collection of passwords

2.  Employees become lazy and do not construe long secure passwords, but instead create the type we see whenever a system gets breach: password123; padres123, etc.

I am aware that most government organizations ask that passwords be changed every three months. If this is your case, you can create a secure password and only change the numbers at the end. When the system tells you that the password is too similar, you write it backwards. This is a practical way of complying with the regulations and at the same time giving the Italian salute to the ridiculous and insecure system.

When should I change my passwords?

When a particular organization is compromised, if you have not recycled the password, you only need to change it for that particular organization. The change can be very subtle like moving the special characters to the right or the left so you do not have to recreate another phrase.

Some of my customers like to use a phrase for all financial accounts and a different phrase for the rest of their accounts.

For non-important websites that require passwords but where you do not have your credit card or other form of payment information stored, you can use the Blur service to store them securely.

Do not procrastinate. Start changing all your unsecured passwords today!

cecilia-anastosCecilia Anastos holds a Master’s Degree in Strategic Intelligence w/sp in Middle East Issues, a Graduate Certificate in Cybercrime, and a B.A. in Criminal Justice w/sp in Psychology. In 2005, Ms. Anastos founded Meta Enterprises, LLC  where she works as Chief Intel Analyst – OSINT, Cybercrime and Instructor. Fluent in five languages, she is a pioneer in the utilization of digitized open source and publicly available information to create actionable intelligence, and in the reduction of digital signatures in the cyberspace domain. Ms. Anastos is a Professor at both San Diego State and Michigan State Universities. She is also a painter at Art Meta Gallery. Connect with Cecilia on Twitter @Meta_Int3l.