Security Tip: 5 Easy Ways to Remember Your Strong Password

With all the information we keep on our computers, our USB drives, our email accounts, and all other kinds of digital systems, it’s not rare to easily collect half-a-dozen passwords, or even more, that one needs to remember. Strong passwords are important, of course. And many times you simply can’t have the same password for multiple applications; what one system demands for a password might not be the same as another. While multiple passwords will certainly make it harder for prying eyes to get a hold of your data, it can also be counterproductive. Keep reading for 5 easy ways that you can remember your strong password.

Password memory

Use a Password Manager

Alright, this might be cheating, as you won’t technically have to remember much. But a password manager is a welcomed solution to the problem of having countless passwords to remember. With a password manager, you just remember one, and it will handle all the rest. Unfortunately, though, password manager only work on computers that they’re installed on.

Use Random Words You Love

The most secure passwords are the ones that are long and full of random characters. This makes them almost impossible to guess. It also defeats the vast majority of hacking attempts that try to break in through the sheer brute force of constantly entering option after option.

Unfortunately, random characters can be very difficult to remember. Random words, on the other hand, are much easier to commit to memory. Best of all, they have proven to be almost as secure when it comes to protecting your data. Try your first pet’s name, the street you grew up on, and the day of the month you were born on. Or have it be your favorite animal, your dream car, and your mother’s maiden name. Though opinions may vary about this, you can probably afford to write down a reminder—somewhere safe, perhaps in your cell phone—that simply says, “favorite baseball player, sister’s birthday, dream vacation.” That makes for an easy reminder that practically no one should be able to figure out.

Use Mnemonic Devices

Because random characters are such a strong password, there’s a very good argument to choose them. “I always get my password on the first try”, for example, can be changed to “Iagmpot1t.” This is an extremely strong password that’s easy to remember.

Write Down Your Passwords and Keep Them Safe

If you’re particularly concerned about forgetting all your passwords, it’s ok to write them down. However, it’s then of the utmost importance that you store them somewhere safe. They should be nowhere near the computer you use them for. So, if your passwords are for an office computer, keep them locked away at home. If you have a home office, consider writing them down in the back of a favorite book kept on a shelf in another room.

Rotate Passwords

Most systems that require passwords also require you to change them regularly. When possible, simply rotate your passwords through systems. This helps keep you from making countless passwords that you’ll have a hard time remembering. So long as none of your systems have been compromised, there’s no point in wasting a strong password.


Concerned About Network Security? Hire a Hacker

If you’re worried about your network security, then you may think the last thing you should do is to invite someone to hack your network. However, one of the types of cyber protection you may not know about involves hiring teams of so-called “ethical hackers” to discover your system’s vulnerabilities.

Beware of Cute Cats

What is it about cat pictures or videos people find so irresistible? The Wall Street Journal reported that an ethical hacking company called PhishMe, co-founded by Aaron Higbee, put together a phishing email that featured a picture of a Turkish Angora cat with a purple mohawk. The email promised that clicking a link would lead the user to more cat pictures. Instead, the link led the employee to a warning from the tech department.

PhishMe designed another fake phishing email designed to prey on employee competitiveness. He sent an email to employees that appeared to come from the company CEO. The email had an attachment that claimed to contain figures for potential bonuses for many company employees. PhishMe then sent a second email attempting to recall the first. Many employees clicked the attachment, which again sent them to a warning page.

Higbee says that cute cats are to employees like kryptonite is to Superman. Of the 3.8 million employees that PhishMe has worked with, 48 percent have clicked on the cute cat phishing email. PhishMe’s work reveals vulnerabilities to “social engineering,” which are attacks designed to capture sensitive information from employees.

Common Vulnerability Points for Networks

In addition to attacks that prey on human frailty, hackers can capitalize on a number of vulnerable network points, including:

  • Wi-Fi networks. When employees do work over wireless, they can expose the company to a hacker. A “man-in-the-middle” attack, for instance, can use a computer with two wireless cards near a Wi-Fi hotspot to lure employees into logging onto a fake network. One wireless card connects to a legitimate network while another generates a fake network. Employees log onto the company intranet through the fake network, giving their credentials to the hacker.

  • USB drives. Imagine an employee using a USB stick to take work from the office to his or her home. The employee’s personal computer downloads a virus, which then transmits itself to the USB drive. When the employee returns to work and inserts the USB drive into a corporate computer, the virus could penetrate the corporate network. The Stuxnet worm, which took down the network at an Iranian nuclear facility, was probably delivered by an operative using a USB drive.

  • Weak passwords. Many employees use obvious passwords like “123456,” “iloveyou,” “password” or their names. Sometimes, they write their passwords on sticky notes and stick them to their monitors or the undersides of their keyboards. Also, many employees use the same passwords for multiple accounts. For instance, if an employee gives away a company email password in a phishing email, and he or she uses that same password for online banking, the employee could face a serious problem.

  • Ethical Hacker Tactics

    Ethical hackers use multiple techniques to reveal network vulnerabilities. An ethical hacker may sit out in a company parking lot and attempt to launch a man-in-the-middle attack on the company’s wireless network. Also, some ethical hackers drop rigged thumb drives in company bathrooms, which employees often pick up and insert into their USB ports. Some ethical hackers go so far as to conduct in-person breaches. For example, a hacker may dress up like a package delivery person or a fire marshal to gain access to restricted company areas.

    Look for an ethical hacker who holds the Certified Ethical Hacker (CEH) credential. A CEH has training in subjects like virus creation, buffer overflows, social engineering, policy creation and intrusion detection. CEH students aren’t allowed into training centers without undergoing a thorough background check. After completing training, a CEH has to pass an examination to earn his or her final credential. CEH’s also sign legal agreements stating that they will not use their training for illegal or malicious purposes.

    If you’re concerned about data loss or network vulnerability, you can find an ethical hacker who can determine your network’s weak spots. These hackers do an important service for consumers, businesses, not-for-profits and government agencies.

Evernote User Accounts Compromised

Evernote, today, reported that they detected and blocked suspicious activity on their network. As a precaution, they say, they’ve implemented a password reset for all users. When I first read about this, it sounded as if they had already reset your password and you would need to have it emailed to you. Instead, an email sent out instructed users to log in and change their passwords upon login.

What Happened?

Anything I say here would be purely speculation. However, attacks are often as simple as a SQL injection. This usually happens when a website takes user input (like a contact form or blog comment form) and does not properly run it through the ringer before adding it to a database. It’s more common than you think. For anyone interested in a more technical view of security vulnerabilities, check out OWASP’s Top 10 Project. In reality, any number of things could have let in a hacker and it’s too early to say for sure.

Should I Worry?

This is a two-part answer. First, your Evernote account is fine. According to Evernote, no data stored was lost or accessed (other than your credentials, of course). Just reset your password and you should be OK. Your other accounts, may not be, however. Take a look at the most important part of Evernote’s statement:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

This tells me that my username, email and encrypted password are out there in the hands of a hacker and because Evernote is a large service, it wouldn’t surprise me if a torrent file of this information shows up for download by anyone with an internet connection. “hashed and salted” means that, like they said, it’s one-way encryption. A hacker can try to encrypt a word using the same methods and see if it matches the blob of characters next to your username, but they can’t directly decrypt your password. This is important, but if your password was cracked, the hackers would now have a username/email/password combination to try on many other services. If I were that hacker, I would start with other cloud services, namely Apple’s. If you use the same username and password anywhere else, you should change your password there, too.

How To Protect Yourself

While websites and online services have legal and ethical obligations when it comes to storing your information, you should have some rules of your own.

Use a secure password that you can remember. The word “password” is sadly not only the most insecure password, but also the most popular. If it was easy for you to come up with and type in, it’s likely easier to crack. Don’t use your birthday, any word that can be found in a dictionary, or anything someone could guess with a little information about you.

Don’t write it down if you can help it. If I was in your house and wanted to get into your computer, the first place I would look is under your computer. Shockingly often, people just put their password on a sticky note and stick it to their monitor. The password is only as good as the user. Protect it like you’re protecting what it gets access to. If you wouldn’t leave your life’s savings on your desk, don’t put your password to it there, either.

Split up your passwords. This is a hard pill to swallow, but you absolutely should use a different password for each site. The cost is convenience, but the reward is not having every account you have hacked just because one site let your password get out. If this is too hard for you, use individual passwords for any site with finances, or sensitive information and another “global” password for the 150 other sites that are less critical.

Don’t just stick to one rule, either. I know from experience that thinking you’re doing so awesome with one rule (like having an incredibly hard to crack password) excuses you from the other rules is a good way to get hacked.