Tips on Making and Securing a Password

Jonathan Trull, Chief Information Security Officer


A password is a string of characters that people use to log on to computers or access files, programs, and web applications.  Passwords continue to be the primary mechanism for securing access to computers and files.  Because passwords are so integral to computer security, hackers routinely launch attacks to obtain them.  Once an attacker has your username and password, they can perform the same functions that you can but for more evil purposes – e.g., transferring money to an offshore account, sending phishing emails from your email account, and installing malware onto your computer to steal personal data or to launch attacks against other Internet users.

In order to protect your systems and information, you need to ensure that you create and use strong passwords.  Once created, it is then extremely important to keep those passwords safe.  Basically, only you should know your passwords. 

Hackers use two primary techniques for getting access to your passwords.  First, attackers perform what are known as brute force attacks.  In this type of attack, the hacker attempts to access your computer system by trying commonly used passwords, all words found in the dictionary, or other combinations of words, numbers, and special characters.  Although this sounds difficult, it is actually quite easy and can be done at astonishing speeds with modern computer processors. 

The second method used by hackers to obtain your passwords is through some form of social engineering.  This often involves a spoofed email that appears to come from a legitimate company and includes a link redirecting you to a website controlled by the hacker that asks you to login with your credentials.  These hacker-controlled websites often closely mirror the legitimate company’s website and the email contains an “urgent” demand to act or consequences will result – e.g., late fees, lost opportunity, etc.  Hackers will also call victims and pretend to be customer support.  As part of the call, they will ask you for your username and password so that they can fix whatever it is they claim is impacting your computer.

Now, knowing the importance of your passwords and the techniques commonly used by attackers to obtain them, I want to leave you with these tips:

  • Create strong passwords.  A strong password is one that is difficult, if not impossible, to guess using current technology.  At a minimum, your passwords should be 12 to 14 characters long and include random combinations of letters, numbers, and special characters.
  • Passwords should be random and unique for each device or application.  Humans are notoriously bad at creating random combinations of letters, numbers, and special characters.  We often use fairly predictable patterns whether on the keyboard or by using combinations of information familiar to us - like our phone number combined with our date of birth.  Unfortunately, this information is oftentimes also available to hackers or easily guessable.  I suggest using a password manager to generate random, unique passwords for each computer and application that you access.  The password manager is software that helps you randomly generate and manage these different passwords, and ensures that if one password is compromised, it will not impact all of the other accounts and devices you use.
  • Don’t Share Your Password with Anyone.  Never, under any circumstances, should you share your password with another person.  This includes IT support staff such as customer service, help desk staff, or even your boss.  Technical support staff do NOT require your password to perform their jobs as they typically already have administrative access to your computer for troubleshooting purposes.  Why not share your password with your boss you ask?  Unfortunately, I’ve seen managers use an employee’s password to circumvent accounting controls and steal millions of dollars.  Your password is for your knowledge only, end of story.
  • Don’t Trust Links in Emails.  Links in emails should never be trusted.  If you need to sign-in to an external website, you should hand enter the site’s address in your browser.  If something seems suspicious, ask your company’s security team.
  • Be Cautious with Security Questions.  Although not a password, security questions typically allow users to reset their passwords by answering one or a series of questions.  For example, what is your mother’s maiden name?  Unfortunately, many of these security questions rely on information that is available to untrusted parties through public records, newspapers, or social media.   Attackers guessing the right answers to these security questions have compromised many accounts.  My suggestion is to use caution when answering these questions.  If the answer to the question is known by others, then I suggest providing a random response and storing that information in your password manager or in another secure location.

Learn more about our online or on-campus curriculum by calling 877-820-0581 or requesting more information today.