‘Strong’ passwords a key to protection in a digital world

Friday, October 13, 2017

It is one of the oldest areas of concern in the digital age: creating passwords that the user can remember and yet are as secure as possible.

“It doesn’t matter if you live in the most urban of cities or deep in the heart of rural America, recent news of companies whose databases of stored passwords have been compromised reminds us that no password is unimportant,” said Cynthia Hobbs, computer specialist with Oklahoma State University’s Division of Agricultural Sciences and Natural Resources.

Oh, most people get it, in theory. After all, billions of people shop, read email, scan social media, review credit card transactions and check bank accounts through websites and smartphone apps. Through it all, users are encouraged to create as secure a password as possible.

But what exactly constitutes the industry recommended level of security? According to Google, “strong” passwords contain a mix of letters, numbers and symbols.

“An eight-character password with numbers, symbols and mixed-case letters is harder to guess because it has 30,000 times as many possible combinations than an eight-character password with only lower case letters,” Hobbs said.

Great advice, but it has also led to user annoyance, often issued against oneself for failing to remember each unique “strong” password.

“If you create a password from a mix of random characters, you may find yourself having to write them down to ensure you don’t forget it,” Hobbs said. “What happens if somebody stumbles across your reminder note to yourself?”

Instead, Hobbs believes users should heed advice from StaySafeOnline, a resource site from the National Cyber Security Alliance. StaySafeOnline recommends a user to “focus on sentences or phrases that you like to think about and are easy to remember.”

Hobbs said some people like to use lyrics of favorite songs instead of random characters. For example, if using the OSU Alma Mater, one might choose the first letter of the opening lyrics “Proud And Immortal Bright Shines Your Name.” One can then strengthen the password further by including both capitalized and lower-case letters, numbers and perhaps even a symbol if allowed.

“PalbsyN2017 is a strong password and yet easier to remember than just randomly assigned characters, in part because it has a connection to you but is not one anyone trying to illegally access your account is likely to consider,” Hobbs said. “Keep in mind, when adding a number to your password it is best to avoid using a number obviously associated with you such as an anniversary or birthday.”

Another recommended practice for securing one’s accounts and passwords is to enable two-factor authentication, which adds a layer to your login process. Many sites, such as Google, Apple and credit card companies, now use this feature either as an option or as a mandatory practice.

“For example, if I log into my Gmail account from a new device, I receive a text message with a code I must enter before I can access my email,” Hobbs said.

What about high-powered hackers who use computers to decrypt passwords as opposed to the “guess and type” method? To compromise a password, hackers use a variety of tools: dictionary words, other compromised passwords by the same user on other accounts and information gathered on the user from social media sites and online forums.

“Often, hackers will use brute force methods to compromise an account's password,” Hobbs said. “These methods use software and fast computers to attempt access to your account. Even with a fast computer, intelligent software and a fast internet connection, you can make their process incredibly time consuming with mixing both upper- and lower-case letters with a special character.”

For example, research indicates an eight-character password made of only lower case letters would take 2.4 days to process but using six lower case letters, one upper case letter and an asterisk, it would take 2.1 centuries to process.

In short, while following the practices listed above is not a guarantee against personal information being compromised it will make things more difficult for cyber criminals.

“It is important you do what you can reasonably do as your online security should always be a priority,” Hobbs said. “It is far easier to protect yourself now than after your data has been compromised.”

October is National Cyber Security Awareness Month.

DASNR is comprised of the OSU College of Agricultural Sciences and Natural Resources and two state agencies: the Oklahoma Agricultural Experiment Station system and the Oklahoma Cooperative Extension Service.