Wray Rives
The password paradox

How do you balance security with usability? Here’s one way.

December 3, 2012
By Wray Rives, CPA, CGMA

Think about how often you use passwords. To log in to your computer. To access your firm’s network. To open tax returns or other files with personally identifiable client data including names and Social Security numbers. And all of that just gets the day started.

Passwords are as much a part of everyday life for most Americans as sleeping, eating, and bathing. We have to enter passwords so often to do so many different things that we often view them as an annoyance, something else we have to keep track of in our crazy, cluttered lives.

We roll our eyes when we hear about the importance of using long, complex passwords, of changing them on a regular basis, and not using the same one on more than one application. Who can keep up with all of those passwords?

This article outlines an approach to password creation that is simple for the user but complex enough to make it virtually impossible for cybercriminals to crack the code.

The password problem

Articles on subjects ranging from cloud computing to identity theft emphasize the importance of passwords in establishing strong security against cybercriminals. Nevertheless, many of us continue to use weak passwords. A recently published annual study of millions of passwords stolen and posted online by hackers found that the most common password on those lists was “Password,” followed by “123456” and “12345678.” It was the second straight year those three passwords topped the list of “25 Worst Passwords of the Year” compiled by SplashData, a maker of password management applications.

Password management applications are one option for dealing with a plethora of passwords, but you’ll still need to properly handle the password to access the application. So it’s good to know strong password practices.

A strong password policy

Passwords should contain 12 or more characters with at least one numeral, one capital letter, one lower case letter, and one symbol. The Georgia Tech Research Institute in a 2010 study estimated that it would take up to 17,000 years to crack this type of 12-digit password security as opposed to two hours for an eight-character password.

Best practices require users to change their passwords every 60 to 90 days. Password length can be a difficult balancing act between having enough characters to make a password difficult to hack and having too many for the user to remember. Many people resort to writing down passwords, but that practice is among the riskiest of all.

So how can you remember a 12-digit password that you have to change every 90 days? One way is to think of seven characters you can remember. Why seven? Seven is an optimum number of digits for humans to remember (one reason that phone numbers are seven digits).

Consider this example: Pick a combination of seven random numerals, letters, and symbols, then combine those digits with five characters from the name of any website. I might pick aB94$5x as my characters. I combine my seven characters that I can remember with five characters from the name of the website I am visiting.

If I want a password for aicpa.org, my password could be aB9aicpa4$5x. By varying where I place the website characters in the string or the order and capitalization of digits from the website I use (e.g., aicpa might become icPaa) or by just changing one character, I can vary my password slightly without having to commit a lot of new random digits to memory. We have used this scheme in my firm for the past year and found few problems with people remembering complex 12-character passwords. There is a risk that if someone knows your password scheme, he or she can use it to gain unauthorized access, so you still need to adhere to the following basic password safety rules:

  • Don’t save passwords on laptops, tablets, or smartphones, because those items do get stolen.
  • Don’t use common passwords like “12345” and “password.”
  • Don’t use dictionary words or your name for a password.
  • Do create a dummy email account that does not identify your real name and use that email for all password resets and nothing else.
  • Do give bogus answers to online security questions.
  • Do use authentication services, such as requiring the site to text you a confirmation code when you log in from a strange computer, when they are offered.
  • Look for software as a service (SaaS) sites that use authentication services, such as LaunchKey, which limit access to approved devices.

Fraud prevention through controlling access to data had to evolve with the spread of PCs and the distribution of computing away from central mainframes. No doubt we will see continued evolution of fraud prevention as more functions and sensitive information moves to the cloud, and this will provide opportunities for CPAs to offer advice as their clients make this inevitable transition.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Wray Rives, CPA, CGMA, helps startup and small business owners compete and succeed in their local or global market as founder and manager of NeedaCFO.com and through his public accounting firm Rives CPA.