August 3, 2016
Download our ungated guide to high-quality penetration testing.
Adobe, MySpace, LinkedIn, and many other large organizations have had major password breaches in the last few years. Breaches where attackers have exfiltrated usernames, email addresses, passwords, and in some cases, plaintext password hints and other data from the company’s database. The initial response is always, "Log into that service, and change your password before the hackers get in and take over that account!" The sad truth is that it’s rarely that account that matters – it’s the other accounts where you (or your users) used the same password and email address that you’re (or they’re) already using on the compromised account with another service.In the last few weeks, there have been several (https://techcrunch.com/2016/06/29/hacker-takes-over-oculus-ceos-twitter-...) high-profile (http://arstechnica.com/security/2016/06/mark-zuckerberg-twitter-pinteres...) attacks (http://fortune.com/2016/06/27/google-ceo-sundar-pichai/) where the CEO of a large company had their Twitter account hacked because they were using the same password for Twitter as they had been using on another service that was compromised.
This post tackles a problem everyone has: the "password fatigue" that leads to weak security. By shifting the focus to passphrases and mnemonics, you’re giving readers a practical, human way to stay safe.
I’ve broken this into a readable blog format with a "How-To" section for the mnemonic technique and a clear strategy for using a password manager.
Most security breaches could be prevented by using secure, randomly generated passwords. The problem? Our brains aren’t wired to remember random strings of characters. None of us want to lose access to our accounts, so we often choose ease of access over absolute security.
It’s time to change your mindset. I want you to completely strike the word “password” from your memory and replace it with “passphrase.”
Remember learning "PEMDAS" in elementary school to recall the order of operations? (Please Excuse My Dear Aunt Sally). That is a mnemonic—a tool to help you remember complex information.
While "PEMDAS" itself is a terrible passphrase because it’s common knowledge, you can use the same logic to create a "monster" passphrase that even a high-powered cracking rig would struggle to break.
Example: The "Song Lyric" MethodTake a lyric from a song you love, like Johnny Cash’s Hot Rod Lincoln:
“My pappy said, 'Son you’re gonna drive me to drinkin' If you don't stop driving that hot rod Lincoln'”
By taking the first letter of each word and keeping the punctuation, you get:Mps,”Sy’gdm2d’iUd’sdtHRL”
That is a 24-character string containing uppercase, lowercase, numbers, and symbols. Unless a hacker has a dictionary of every song lyric ever written and a specific rule to condense them this way, they aren't getting in.
Try creating a mnemonic passphrase using something meaningful to you:
MtFbwya.Iwtbot,iwtwot.Ir5memB8AM!You shouldn’t use this passphrase everywhere—that defeats the purpose. Instead, use one incredibly strong passphrase as the Master Key for an encrypted password manager (like Bitwarden, 1Password, or KeePassXC).
Within that manager, you can store unique, complex passwords for every other service. This way, you only have to remember one thing.
You can add a final layer of security by enabling Two-Factor Authentication (2FA) on your password manager.
Using an app like Duo Mobile or Google Authenticator adds a second step:
By attaching a service like Duo to your vault, you’ll get a pop-up on your phone asking you to approve the login. Even if someone manages to steal your "Master Passphrase," they still can't get in without your physical device.
Security news, tips, webinars, and more straight to your inbox.
