In the fairy tale of “Ali Baba and the Forty Thieves,” Kasim, the elder brother of Ali Baba, died in the secret cave.
Kasim goes to the cave, taking a donkey with him to take as much treasure as possible. He enters the cave with the magic words. However, in his greed and excitement over the treasure, he forgets the words to get out again and ends up trapped. The thieves find him there and kill him.
People think that Kasim died in his greediness. But as I see it, this story could have a happy ending if he knew one thing. One thing that we often forget and are frustrated about.
Kasim forgot the password when he wanted to leave the cave with treasures in his hand. No one in real life would forget a passphrase like this, but we are no better than Kasim in many perspectives.
Password rules are always the first thing in my awareness training for customers. This is the most related rule for all employees, with different levels or different units. This time, let me share it with all of you so that more people know about this.
To build an easy to remember and adequately secure password, let’s explain the opposite examples. According to SplashData, the most common passwords are:
Other common passwords including:
If you use one of the above, you should consider changing it right after seeing my password rules. Before that, it is better to understand what kind of password is more susceptible to be cracked.
Hackers use password cracking software with a giant password database to try passwords. From the example above, using a single word or numbers are not as good as those, and all their variants would be included in the “password table” of hackers. The simple rule is not to use those as it is susceptible to be cracked within minutes.
Most websites with login would include a password policy that forces the user to create a password with a certain complexity level, such as special character, upper and lower case, and alphanumeric in nature.
All these rules are trying to increase the complexity of a password. Therefore, I would suggest you keep them in all your passwords so that you do not need to re-type repeatedly when creating an account.
This is from a study in 2015,
“the effect of increasing the length dwarfs the effect of extending the alphabet [adding complexity].”
FBI Tech also follows the same recommendation. They pointed out, “Instead of using a short, complex password that is hard to remember, consider using a longer passphrase.” where this is originally from the NIST Special Publication 800–63B.
Longer passwords, even simple words or constructs, are better than short passwords with special characters.
The following is my step-by-step guide on how to generate an “Open Sesame 2.0”.
Computer systems use the seed to generate random numbers. What is a “seed” for you? It is the start point of creating all your passwords. You can use your company email and do some transformation or making one from your name.
There is only one requirement for this rule — keep it secret.
Seed should be related to you that helps you remember but at the same time complex enough to prevent guessing. It can be your name or the name of your favorite TV character, i.e., MrRobot.
If you are like me, is a fan of the TV show — Mr. Robot, you would probably notice this from each episode’s official titles.
Hackers normally communicate in forums using this kind of letter transformation to bypass past detection or keyword blocking techniques.
However, they are less effective when AI is introduced in the scenarios. Still, it is beneficial for creating a complex password that could easily remember but hard to guess.
You can use your 0wn [email protected], but the rule is t0 k3ep 1t consistent. Using this rule, you can fulfill most of the complex password policies.
As the computer is part of life, we integrate with different systems and websites, no matter the job or leisure, which requires us to log in.
While it is frustrating to click the forgot password button every time you go back to a website, you seldom use it or are just forgetful. It is also a bad idea to use a SINGLE PASSWORD for all your accounts (Please do not do that. If you do, change it now!).
The second rule that helps you to remember is to include the URL in your password. Yes, you read it correctly. I am asking you to consider including the website’s URL in your password.
Some companies require users to change their passwords every 30 days or so. It is a good practice and part of some security standards. It would be a challenge if the user cannot remember what they type in. In that case, I suggest you consider adding the date during the change in your new password, e.g., 20201201 for 17th December 2020.
So now you know how to transform letters into complex password elements. It is also easier to have the URL or date in your password to help you remember where and when you type it. The rule uses a “seed” and combines it with a variable related to when or where your account belongs.
Seed + URL (+date) = Strong but easy to remember
Consider the following walk-through example:
Let say Mr. Robot wants to join Netflix. When creating an account, he can first transform his name “MrRobot” into “MrR0bo4” (use it as seed) and “Netflix” into “N3tf1ix” (variable). As a result, a good password option could be:
Can you follow it? If he wants to join amazon.com also, then the possible password combinations could be :
The key is keeping the seed but changing the remaining part. Remember NOT to tell anyone about what remain unchanged. The seed is the ultimate secret and cannot be written down or tell anyone.
The test result of password “[email protected]@zon.c0m” | screenshots by the author
After some practice of thinking, you can use it anywhere. But before start changing passwords from different websites, you can test your password strength using the following portal:
First thing first, you should know by now that hackers in real life are not like in most movies or TV shows (except Mr. Robot). Hackers try not to penetrate a system with complex malware or tools. It is because it is the most labor-intensive and cost-ineffective.
Instead, they often get in by compromising the weakest link — people. Therefore, as a security professional at work, one of the most concerning areas is password security.
One thing that is not the same in the digital world and the physical world is the concept of steal. If your wallet is stolen in the physical world, you know it when you put your hand in your pocket. Because it is not there, right?
But in the digital world, what is stolen is still there. Therefore, it is a good start, to begin with how to check if your identity is stolen —or pwned.
Let talk about what is “Pwned.” According to Merriam-webster:
Pwn is a lot like own, then, in the sense of 1b, “to have power or mastery over (someone).” (This is, of course, no coincidence. The word likely has its origin in a mistyping of own, what with the p and o being so close to one another on the QWERTY keyboard and all.)
From a security point of view, being pwned means gaining unauthorized access to your account. In most cases, pwned means something was stolen, no matter your credentials or that of someone who has access to yours.
Yes, some good guys try to help. One of them is Troy Hunt, the creator of HIBP.
1# Have I been pwned (https://haveibeenpwned.com/)
Screen capture of HIBP | copyright by the author
Have I been pwned — HIBP is a free and public website to check if your email account is a victim of recent hacks or compromised recently. It is also the most mentioned website for the general public.
Password is the first line of many security measures. If you use a simple password, then all the followings become useless, no matter how advanced the tools are.
While making a complex password is challenging for some people, I hope that by sharing my Zen password rules, you get some ideas about generating a good password that is easy to remember. And please feel free to check your status of current accounts by HIBP.
In Summary, here are my Zen’s password rules:
PLM —Password Length Matters
How to generate a good password?
Thank you for reading —happy reading and strengthening account security.