Wait... Isn't that an Oxymoron?!

Let's be real... It's impossible to get [completely] away from passwords. We have too many services that we rely on every day and the most common thing about them is that they require two things for access: 1) A username and 2) a corresponding password. If you and the service you are accessing is security conscience, then there is likely a third gateway control you are using in the form of multi factor authentication (MFA) or two-factor authentication (2FA) - however, let's leave that for another blog.

There are several factors that lead us to believing that creating strong passwords that are unique for each service difficult and virtually impossible to manage. These include:

• Multiple sites and services (e.g., email, banking, social media, work, devices, etc.)

• Complexity requirements (e.g., lowercase, uppercase, number, special character)

• Length requirements (e.g., at least 8 characters)

• Can't use dictionary words

• Can't reuse passwords

Having all these restrictions can make creating passwords frustrating! That's why people use easy to remember - yet easy to guess - passwords such as marriageyear+lastname, childsname+birthyear, schoolname+graduationyear, hobby+favoriteplace, etc. But think about it, are hints to your passwords sprinkled throughout your social media accounts or on sites that host public records? With millions of potential passwords already in circulation on the dark web, it's time to get more creative.

Key to Passwords: Length and Complexity

Experts agree that the key to strong passwords is length. The longer the password, the more difficult it is for password crackers to be successful. Adding complexity means adding potential characters thereby exponentially increasing combination possibilities. The chart below - provided by Hive Systems - highlights the expected time it would take to crack a password based on length and complexity variables:

As you can see, even 8-character passwords meeting complexity requirements can be cracked in 8 hours - and consider that 8-characters is standard minimum size for most applications and services! So, let's get to how you can lengthen and strengthen your passwords.

Using Passphrases

Passphrases v1.0

A passphrase is a sequence of words combined to form a phrase that can be easily remembered by the creator. For example, HomeOfficeProfessionalServicesIsHereToHelp is a passphrase that can be used as a password that would take well beyond several lifetimes to crack. While this would be a great password, it may not be practical for all places as some services limit the character count and require specific complexity requirements. To account for this, we can evolve passphrase complexity.

Passphrases v2.0

To meet password restrictions set by applications, services, and websites, let's modify our original passphrase by extrapolating the first character of each word and changing some of those letters into relatable special characters.

HomeOfficeProfessionalServicesIsHereToHelp

H0P$1h2h

Although we have now created a password from a passphrase that meets standard password length and complexity requirements, it can still be cracked in 8 hours. To fix this, we need to add some additional characters.

Secret Key Combos

Think of secret key combinations as a combination of characters that can be used by you and applied to all your passwords. This can be created by identifying your favorite number and symbol. For example, if your favorite number is 6 and your favorite character is #, your secret combo is 6#. This secret key combination can be applied as a prefix and reversed as a suffix to your password to extend length and complexity.

Secret Key Combo: 6#________#6

Passphrase v2.0: H0P$1h2h

6#H0P$1h2h#6

Now you have an easy to remember 12-character password that is expected to take thirty-four thousand years to crack! Although the idea of using passphrases is nothing new, the idea of creating and adding a secret key combination is a method that I first heard in the book "The Secret to Cybersecurity" by Scott E. Augenbaum. If you have the chance to read it, I encourage you as Scott provides practical and real-world examples that can be absorbed and put into practice by anyone.

Additional Considerations

Although you have been provided a simple method along with examples for easily creating unique passwords that can be highly resistant to cracking, there are still several considerations that you should take to protect your digital identity. Below are some of them:

• First of all, don't use any of the example passwords provided here or in any other publicized work! Chances are that they have already been collected for use

• Use MFA or 2FA for your critical services: if it is not available, use an equal service that does have it available

• Use a reputable password vault application: password vaults like LastPass can assist in strong password management and unique easy access to different sites

• Don't use the same password for different services: compromise of one account can cascade to the compromise of others

• Don't enter credentials on untrusted devices: public workstations like those found in hotel lobbies can host software that will capture your credentials