visit
In the fairy tale of “,” Kasim, the elder brother of Ali Baba, died in the secret cave.
Kasim goes to the cave, taking a donkey with him to take as much treasure as possible. He enters the cave with the magic words. However, in his greed and excitement over the treasure, he forgets the words to get out again and ends up trapped. The thieves find him there and kill him.
People think that Kasim died in his greediness. But as I see it, this story could have a happy ending if he knew one thing. One thing that we often forget and are frustrated about.“Open Sesame”
Kasim forgot the password when he wanted to leave the cave with treasures in his hand. No one in real life would forget a passphrase like this, but we are no better than Kasim in many perspectives.
If you use one of the above, you should consider changing it right after seeing my password rules. Before that, it is better to understand what kind of password is more susceptible to be cracked.
Hackers use password cracking software with a giant password database to try passwords. From the example above, using a single word or numbers are not as good as those, and all their variants would be included in the “password table” of hackers. The simple rule is not to use those as it is susceptible to be cracked within minutes.
Most websites with login would include a password policy that forces the user to create a password with a certain complexity level, such as special character, upper and lower case, and alphanumeric in nature.
All these rules are trying to increase the complexity of a password. Therefore, I would suggest you keep them in all your passwords so that you do not need to re-type repeatedly when creating an account.This is from ,
“the effect of increasing the length dwarfs the effect of extending the alphabet [adding complexity].”
Tech also follows the same recommendation. They pointed out, “Instead of using a short, complex password that is hard to remember, consider using a longer passphrase.” where this is originally from the .
Key Point:
Longer passwords, even simple words or constructs, are better than short passwords with special characters.
The following is my step-by-step guide on how to generate an “Open Sesame 2.0”.
There is only one requirement for this rule — keep it secret.
Seed should be related to you that helps you remember but at the same time complex enough to prevent guessing. It can be your name or the name of your favorite TV character, i.e., MrRobot.If you are like me, is a fan of the TV show — Mr. Robot, you would probably notice this from each episode’s official titles.
You can use your 0wn tr@nsl4tion, but the rule is t0 k3ep 1t consistent. Using this rule, you can fulfill most of the complex password policies.
While it is frustrating to click the forgot password button every time you go back to a website, you seldom use it or are just forgetful. It is also a bad idea to use a SINGLE PASSWORD for all your accounts (Please do not do that. If you do, change it now!).
The second rule that helps you to remember is to include the URL in your password. Yes, you read it correctly. I am asking you to consider including the website’s URL in your password.
Some companies require users to change their passwords every 30 days or so. It is a good practice and part of some security standards. It would be a challenge if the user cannot remember what they type in. In that case, I suggest you consider adding the date during the change in your new password, e.g., 20201201 for 17th December 2020.
So now you know how to transform letters into complex password elements. It is also easier to have the URL or date in your password to help you remember where and when you type it. The rule uses a “seed” and combines it with a variable related to when or where your account belongs.
Key Point:Seed + URL (+date) = Strong but easy to remember
Consider the following walk-through example:Let say Mr. Robot wants to join Netflix. When creating an account, he can first transform his name “MrRobot” into “MrR0bo4” (use it as seed) and “Netflix” into “N3tf1ix” (variable). As a result, a good password option could be:
The key is keeping the seed but changing the remaining part. Remember NOT to tell anyone about what remain unchanged. The seed is the ultimate secret and cannot be written down or tell anyone.
The test result of password “MrR0bot@[email protected]” | screenshots by the author
After some practice of thinking, you can use it anywhere. But before start changing passwords from different websites, you can test your password strength using the following portal:First thing first, you should know by now that hackers in real life are not like in most movies or TV shows (except Mr. Robot). Hackers try not to penetrate a system with complex malware or tools. It is because it is the most labor-intensive and cost-ineffective.
Instead, they often get in by compromising the weakest link — people. Therefore, as a security professional at work, one of the most concerning areas is password security.
One thing that is not the same in the digital world and the physical world is the concept of steal. If your wallet is stolen in the physical world, you know it when you put your hand in your pocket. Because it is not there, right?
But in the digital world, what is stolen is still there. Therefore, it is a good start, to begin with how to check if your identity is stolen —or pwned.
Let talk about what is “Pwned.” According to Merriam-webster:Pwn is a lot like , then, in the sense of 1b, “to have power or mastery over (someone).” (This is, of course, no coincidence. The word likely has its origin in a mistyping of own, what with the p and o being so close to one another on the QWERTY keyboard and all.)
From a security point of view, being pwned means gaining unauthorized access to your account. In most cases, pwned means something was stolen, no matter your credentials or that of someone who has access to yours.
Screen capture of HIBP | copyright by the author
PLM —Password Length Matters
How to generate a good password?