Back To Top

Back to Basics: Password Security

password-securityThis week I want to take a few minutes to discuss something that generates more groans and eye-rolls than a bad pun. But first I mustache you a question. (See?) What is the primary line of defense against data leaks? The answer: Passwords.

Think about passwords like the keys on your key ring.  Would you install a lock on your home, car, or safe with a generic key used by lots of other people? I hope not.  Consider a password a key that you can design yourself.  With a little forethought and planning, your passwords can be strong and protect your information or your company’s information, be easy to remember, and even help you learn new things. Here are some tips to make passwords fun less burdensome.

Protecting Really Important Information

Some things are so important that they need a unique and very strong password. Your email, online bank account, and investment accounts are probably the highest risk data you access online. Each of these should have a complex, unique password.  Here are my suggestions for creating a strong password.

  • Select a song, movie, or book, for example, “While My Guitar Gently Weeps”. Take the first letter of each word, and add some special characters and/or more information to the end: WmGGW1968!theBeatles


  • Use a pass phrase. The longer a password is, the better. If a password is long enough, it can include dictionary words without deprecating the password strength: MyDogLovesTableScraps:)


Protecting Kind-of Important Information

All data is not created equal, therefore all passwords do not have to be created equally.  For information that is less sensitive, I suggest using what I call a Consistent Dynamic Password (CDP).  This password has two parts. The first part is a strong default password. The second part is applicable to the data it is securing.

The first half of the CDP (the Consistent part) is to create a strong default password with letters, numbers, a special character, no dictionary words, and at least 8 characters.  You can use the suggestions above to create the first half. Continuing with the Beatles example, let’s use “WmGGW1968!” as the default password.

The second half of the CDP (the Dynamic part) is to add a component applicable to the data being protected. For example, let’s say you’re creating a password for your online Wall Street Journal subscription. The information protected by the password is not all that sensitive, but you still don’t want to use a weak password.  So, add something to the end of the default password like WallSt.

Combine the two components of the CDP to make the strong, easy to remember password: WmGGW1968!WallSt.

There are a few benefits to using the CDP for less sensitive accounts. First, although the data is less sensitive, the password is strong but easy to remember.  Second, if the login credentials are compromised, they would not necessarily impact your other accounts because all of your passwords are different.

Using Passwords to Learn Something New

Because passwords must be changed so frequently you can use them to drill new information into your brain by finding something you want to learn and creating a password using that information. For example, I wanted to learn the military alphabet, so for about 18 months, my passwords included some derivative of Alpha, Bravo, Charlie, Delta, Echo, etc.  You could consider historical events (1776for@Mer!c*)  or phone numbers (867-5309#forJenny).  A word of caution—most password cracking tools and rainbow tables account for the substitution of letters for numbers or special symbols, so replacing A with @ and I with 1 does not help the cause.

As a final note, some folks use a password manager like Norton ID Safe or 1Password. They can be helpful and will probably keep your passwords safe. I neither endorse nor discourage the use of these tools.

Until all sensitive information has some form of multi-factor authentication, passwords are sticking around.  It’s best to accept this truism and make the best of it.  Your data will continue to be targeted and strong passwords will be the best first line of defense.

Bryan NewlinBryan is a Manager at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.

Learn More about Bryan