Monday, October 29, 2018

When it Comes to Passwords, Complexity is Key

Every time you open a new account or are forced to change your password, you’ve probably been prompted to make sure that your password is a strong one. These days strong is not enough. A complex password is what you need.

Attackers have easy access to programs that can attempt to “brute force” guess your password. If passwords are not complex enough, this can take seconds. You have undoubtedly heard that your password should contain at least one uppercase letter and number and be at least eight characters long. That is OIT’s standard for our state workforce, but this may not be enough. Special Agent Scott Augenbaum (Ret). of the FBI’s Cyber Crime unit devised an easy way to make sure that you have complex passwords.

A helpful practice is to use a sequence that makes sense to you for your passwords:

  • You pick one number and one special character (like *2).
  • Then you use that combination at the front and end of your password *2xxx*2.
  • You can use a sentence that describes the account you use, but only using the first letter of each word.

This way, you can create complex passwords, and all you need to remember is your number and special character and a simple phrase. Here’s a couple of examples of how it would work.

For an Amazon account, you could use ‘Love to shop at Amazon’ as the phrase + your number/special character combination, so the password would be *2Lts@A*2. If someone were to see this written down, it would not make much sense.

For Bank of America, you could use ‘This is my Bank of America account’ *2TimboaA*2 or ‘Love to bank at Bank of America’: *2Ltb@boA*2

Note: some sites or apps like Bank of America will only accept certain special characters. If they do not accept your default of * for this example, make sure to note that you have used a different one for that site.

This method will also ensure that you are not using the same password for multiple accounts. As you know, this is dangerous because if an attacker can find your one password, she or he could have access to more than one of your accounts.

If this method isn’t for you, you can also use password creating/storing apps like LastPass or One Password. The important thing to remember these days is that strong doesn’t necessarily mean secure, complex is the key for password security.

Today's blog comes from Chelsey Vance, OIT Risk and Compliance, Senior Risk Analyst.

No comments:

Post a Comment

OIT encourages open discussion, and we invite you to share your opinion on our issues. By commenting on this blog, you are agreeing to our commenting policy, outlined below.

We reserve the right not to publish comments on our blog containing any of the following elements: profanity, misinformation, spam, off-topic/irrelevant (including self promotional posts not having to do with IT or the organization), personal attacks, promotion of violence, or the promotion illegal or questionable activities.

If you repeatedly violate this policy, you will be blocked from commenting.

If you have a question regarding this blog or anything on it, please email us at

We appreciate your cooperation and support, and look forward to connecting with you!