And The Password Is (Part 2)...

Duane Cary, Senior Trainer, LexisNexis:


And The Password Is Part 2... 







In my last blog post, I had discussed some best practices when creating and using a password. But are there different types of passwords you can use? Let’s take a look…

Strong Passwords

This is the type of password most, if not all, of you are familiar with. Nearly all sites and work-related passwords are required to be strong. The consensus among experts is that a strong password requires four things:

  • A minimum length of 8 characters
  • The password needs to include an uppercase and a lowercase character
  • It should include at least one number
  • It should include at least one special character

Based on that criteria, this would be a strong password: Applecore#1. But how strong is it actually? How long would it take a hacker to break this password?

Password strength checker (Warning: never use one of your actual passwords on this or any other site. This is for educational purposes only!)

Use the linked website to get an idea of how long it would take someone to crack your password. Try entering a password that is close to what you use to get an idea about how long it would take to break your password. And go ahead and try my test password: Applecore#1.

At the time of this writing, it would take the average home computer only 3 months to brute force this password. A “brute force attack” is a time-tested approach to hacking a user’s password. The hacker uses a trial and error procedure to calculate your password using software that keeps trying multiple password combinations until it correctly guesses and gains access to your account. And a lot of the passwords used by a brute force attack are passwords that have been hacked by others in the past and shared to hacking sites. These previously hacked passwords are then used to update the brute force software database of passwords to try. So, if you use any of the passwords from my last blog, you would probably be hacked within seconds.

One way to help protect accounts is to change your password every 30-90 days. At Lexis, I must change my password every 90 days. And to make things more difficult for someone to access my system, I can’t use a password that I have previously used in my last 5 password changes. Hopefully, your firm has the same policy. If you are an employer, this policy is a great way to help secure your office.


Some other options to protect passwords are:

  • Two-factor authentication (also known as 2FA):

This method requires someone to enter a second item to authenticate their password. They may enter a PIN number or another password that needs to be entered.

  • Biometrics:

More than likely, you have this feature on your phone or newer laptop. It requires your fingerprint in order to access your device. Other devices may require a retinal scan, or even use voice recognition.

  • Tokens:

You may need a physical device to access your network. I used to have a key fob that generated a number every 30 seconds that I needed to enter on my PC to access the system.

  • One-time passwords (also known as OTP):

This is a password that is generated automatically and authenticates a single user for a single session. The passwords change every time it is needed and are generally used in conjunction with security tokens.


Password Pattern

There is another method of creating passwords that I have found that makes it easier to remember them and they still fit the strong password scenario. It is called a password pattern. A password pattern takes two or more different, unrelated words and then adds some numbers and a special character to fit the strong password profile. Here is an example: Justice1969cabinet! It meets the criteria of a strong password and based on password strength checker, it would take 4 centuries to crack it. By that time, I won’t care that someone cracked it; fair play to them! You can even go a step further. Here is a three-word pattern: Justice1969cabinethorse! And now I am up to 10000+ centuries to crack. And it is also easy to remember, so I don’t have to do something like Geny431sys@1 in order to defeat hackers. Though, honestly, that password would take them 327 centuries to do so! And probably only take me a day to forget if I don’t write it down, so I will stick with password patterns.

When it comes to passwords, try thinking outside the box and don’t get stuck using the same old passwords everyone else uses. I urge you to try a password pattern to see if that helps you remember more complex passwords that would make it harder for someone to hack into your account. Next time, I will look at another way to track passwords: password managers. And if you want to test some other passwords, try the ones at the top of the blog to see how long they would take to crack!