Passwords: A Cybersecurity Superhero | Information Technology | University of Pittsburgh

You are here

Passwords: A Cybersecurity Superhero

Picture this: After hours of procrastination, you finally make your way to your desk and flip open your laptop, pepperoni pizza in hand. Then you hit a wall — the login screen. With your English paper due in the morning, your brain chooses this moment to have the memory of a goldfish. Your first attempt to log in is unsuccessful. No worries, you say with slight panic in your eyes. You try again. “Oops! Enter the correct email address and password to sign in.” Suddenly, pizza is not your priority. You are in a fight for your academic life!

Your Weakness: Memory Drain

The life of an online superhero is filled with password challenges. Pitt uses a single sign-on service, Pitt Passport, so your username and password will get you into nearly all University services. But outside of Pitt, you’re likely to have dozens of accounts for all the sites and services you use. Remembering them all would make you a super-genius. But most of us don’t have that power. Some people resort to sticky notes tacked onto their monitor or lists of passwords in a desk drawer. But that’s a major risk. Cyber-villains exist in the real world, not just in cyberspace. (The ENISA Threat Landscape 2020 report found that 27% of cybersecurity incidents start or finish with a physical action.) And having an Excel file listing all your passwords is nearly as vulnerable.

The True Villain: Weak and Reused Passwords

Are you using your name and birthday as your password, or even worse – the classic “password1234”? Have you been using the same password since middle school? Do you keep things simple by using the same password on every account? Yikes… Let’s change that!

Weak and repeated passwords are the true villains of cybersecurity. Reusing passwords makes them easy to remember, but it’s a ticking timebomb. If the password is cracked on any account, then all your accounts are at risk. No matter how innocuous a compromised site may seem, the hacker can see personal information saved in your settings. Then, they’ll try that same username and password on other accounts, like Amazon, credit cards, or banks. Even if you use unique login credentials on other accounts, some sites, like Google or Facebook, can be used to log into those accounts without knowing those passwords. With each breached account, hackers get more of your personal information. Next thing you know, you are the victim of identity theft, destroying your credit and potentially landing you in legal hot water.

Your Superpower: Complex and Unique Passwords

It’s crucial that you keep your information safe and secure by using a different password with every account. (By the way, thisismypassword1! and thisismypassword2! are not unique passwords. Hackers can count.) You also need to make sure that your passwords are incredibly strong.

What makes a good password, you ask? Here are some tips to keep bad guys out:    

  • The longer the better. Passwords should be 14 – 16 characters long. The National Institute of Standards and Technology (NIST) states that password length is the primary factor in password strength. It is better to have a longer straight-text password than a short complex password.
  • Complexity still matters. Combining length with complexity makes your passwords uncrackable. Incorporate a mix of capital and lower-case letters, along with numbers and special characters.
  • Change default passwords immediately. If you sign up for an account that assigns a default password, change it ASAP. All a hacker has to do is sign up for an account to see the default password pattern (e.g., first initial + last name + birthday MM/YY), which often consists of info that’s easy to find out about you.
  • Learn to love a passphrase. Remembering a password like “Hid8&^dghjkI!2#23” is really hard. Remembering a passphrase like “IHave2DogsNamedBuddy&Ginger!” is a heck of a lot easier. You can also substitute certain letters with other characters to make it more complex. (Common substitutions: 3 for E; 0 for o; ! for i; or @ for a.)

Your Trusty Sidekick: Pitt Password Manager

If you create strong, unique passwords for every account, that quickly becomes way too many passwords to remember! Have no fear … Pitt Password Manager is here! This trusty app can remember all your passwords for you, so you never have to use a “Forgot your password” reminder again.

A password manager securely stores all your usernames/passwords — you just have to remember one Master Password that opens your password vault. It can also automatically generate strong passwords when you create a new account and will autofill your login credentials when signing into a site it recognizes. Don’t worry about entering all your existing passwords manually. You can download them from your browser or take a password spreadsheet and just upload them! Pitt Password Manager can be accessed online, via a mobile app, or using a browser extension.

The Final Showdown: Testing Your Password Strength

Not sure if your passwords are strong enough or what you have to do to make them uncrackable? Time for a showdown with PasswordMonster! This website not only tells you how strong or weak your password is, but it also estimates the amount of time it would take to crack and reviews your choice. Your goal is to have passwords that are in the green zone and rated “Very Strong”.

You can also use the site to see how adding just a few extra characters impacts password strength. A password that can be cracked in 2.2 minutes can become one that would take 30 years to breach with just 3 more characters. Add one more and it can become 30 centuries! If you find yourself in the red zone, bump your armor up until it is “as secure as Fort Knox.”

Victory Is Yours!

-- By Haree Lim, Pitt IT Student Blogger