Passwords are your first line of defense against unauthorized access to your personal and financial information. Weak passwords are easy targets for cybercriminals, who can use automated tools to guess them in seconds. In contrast, strong passwords significantly reduce the risk of your accounts being compromised.
Creating Strong Passwords
- Length Over Complexity:
- Length: Aim for passwords that are at least 12 characters long, though longer is better. The National Institute of Standards and Technology (NIST) guidelines emphasize that the length of a password is more critical than its complexity.
- Passphrases: Consider using a passphrase—a long phrase or sentence that is easy to remember but difficult for others to guess. For instance, “tegacayisanawesomeplacetolive” is easier to remember and more secure than “T3g@c@y”
- Uniqueness: Use different passwords or passphrases for each of your accounts to ensure that if one account is compromised, the others remain secure.
- Avoiding Complexity for Complexity’s Sake:
- The NIST guidelines, outlined in NIST Special Publication 800-63B, are considered the gold standard for password security due to their thorough research and applicability. While required for federal agencies, they are also widely adopted in the private sector for their credibility and effectiveness. NIST guidelines suggest that requiring complex combinations of uppercase, lowercase, numbers, and symbols can be counterproductive. Users often follow predictable patterns, like capitalizing the first letter or adding a “1” or “!” at the end, which hackers can exploit.
Key NIST Recommendations:
- Focus on Length, Not Complexity: Encourage users to create longer passwords rather than forcing complexity, which can lead to predictable patterns.
- Remove Complexity Requirements: Avoid mandating special characters, symbols, or uppercase letters, as these can lead to insecure practices like password reuse.
- The NIST guidelines, outlined in NIST Special Publication 800-63B, are considered the gold standard for password security due to their thorough research and applicability. While required for federal agencies, they are also widely adopted in the private sector for their credibility and effectiveness. NIST guidelines suggest that requiring complex combinations of uppercase, lowercase, numbers, and symbols can be counterproductive. Users often follow predictable patterns, like capitalizing the first letter or adding a “1” or “!” at the end, which hackers can exploit.
- Test Your Password Strength:
- You can use a website such as passwordmonster.com to test the strength of your password. Using tegacayisanawesomeplacetolive as the password, it is rated as very strong and would take 41 million years to crack the password. Needless to say, the password is not getting broken.
Using Password Managers
A password manager is a software application that securely stores all your passwords in an encrypted database. With a password manager, you only need to remember one master password to access all your other passwords. This makes it easier to create and use strong, unique passwords for each account.
Benefits of Using a Password Manager:
- Convenience: Auto-fills your passwords across all your devices.
- Security: Encrypts your passwords to protect them from unauthorized access.
- Password Generation: Creates strong, unique passwords for you.
- Password Strength Assessment: Evaluates the strength of your existing passwords.
Popular Password Managers:
Additional Security Tips
- Enable Two-Factor Authentication (2FA): Adds an extra layer of security by requiring a code from your phone in addition to your password to log in to your accounts. Read Dr. Tom’s previous article on 2FA
- Be Wary of Phishing Scams: Avoid clicking on links or opening attachments in emails from unknown senders.
By following these updated guidelines and utilizing password managers, you can significantly enhance the security of your online accounts. Strong, unique passwords and the additional security measures outlined above will help protect you from identity theft and other cybercrimes.
Feeling lost in the digital world? Dr. Tom is here to help!
Join Dr. Tom every week in his column, Dr. Tom’s Cyber Bits and Tips, for byte-sized advice on all things cyber and tech. Whether you’re concerned about online safety, curious about the latest cybercrime trends, or simply want to navigate the ever-evolving digital landscape, Dr. Tom has you covered.
From practical cybersecurity tips to insightful breakdowns of current threats, Dr. Tom’s column empowers you to stay informed and protect yourself online. So, dive in and get savvy with the web – with Dr. Tom as your guide!
About Dr. Tom
Thomas Hyslip currently serves as an Assistant Professor of Instruction in the Department of Criminology, University of South Florida teaching exclusively in the online Master of Science in Cybercrime program. The program is a unique blend of criminology, digital forensics, cybercrime investigations, and incident response course work.
Prior to USF, Dr. Hyslip worked as a Special Agent with the Defense Criminal Investigative Service (DCIS) and United States Secret Service for 23 years. While assigned to the DCIS Southeast Field Office, Dr. Hyslip led an undercover operation dedicated to targeting and dismantling the most egregious cyber-criminal enterprises. Dr. Hyslip worked with the National Security Agency, and the United States Cyber Command to identify and infiltrate cyber-criminal organizations targeting the DoD.
In 2012, Dr. Hyslip was promoted to lead the newly created Department of Defense, Defense Criminal Investigative Service (DCIS), Cyber Resident Agency. He led daily procedural and operational activities of special agents in eight locations across the eastern United States responding to computer intrusions within the DoD and the Defense Industrial Base. His office also provided computer forensic support to all DCIS offices and investigations within the Eastern United States, Europe, Africa and Southwest Asia. During this time, Dr. Hyslip worked proactively to target international Cyber-Crime groups and worked undercover to penetrate underground cyber-crime organizations which resulted in the dismantlement of the WebStresser DDoS platform in 2018; the ExoStresser DDoS platform in 2019; and the PowerStresser DDoS platform in 2020.
Dr. Hyslip is also a retired U.S. Army Colonel. His last assignment was as a Historian with the U.S. Army Center of Military History. He was previously assigned to the Office of the Surgeon General as an Environmental Engineer, and as an Assistant Professor of Preventive Medicine at the F. Edward Hébert School of Medicine, Uniformed Services University of the Health Sciences. COL Hyslip has a mix of active duty and reserve assignments spanning over 27 years including assignments with the US African Command, Office of Inspector General, the Department of Defense, Office of Inspector General, and the US Army Reserve Information Operations Command. In 2005, COL Hyslip deployed to Iraq with the 306th Military Police Battalion and earned a Bronze Star, Purple Heart, and Combat Action Badge.
Dr. Hyslip earned his Doctor of Science degree in Information Assurance from Capitol College, Master of Science degree in Technology Systems from East Carolina University, and his Bachelor of Science degree in Mechanical Engineering from Clarkson University. Tom and his wife Susan live in Tega Cay, SC with their daughter Reagan.