Facts About Passwords

73% of users have the same password for multiple sites, 33% use the same password every time! Every extra character in your password increases the difficulty for hackers to crack it! Multi-factor authentication adds an extra layer of security that is difficult for hackers to crack! Secure passwords are part of HIPAA privacy compliance!
What can happen to my password if it is stolen? Once an attack has happened and the criminal has your data, he or she likely runs through the following steps, which we like to call, “A Hacker’s Post Breach Checklist:”The hacker will:
Inventory the stolen data: Hackers will look through the stolen data files for authentication credentials, personal information like names, addresses and phone numbers, and financial information like credit card details.
Sell personal information:Next, the hacker will package up personal information like names, addresses, phone numbers, and email addresses and sell them, typically in bulk. These are more valuable the more recent they are. According to Quartz, a full set of someone’s personal information including identification number, address, birthdate, and possibly credit card info costs between $1 and $450 with a media cost of $21.35.
Look for the good stuff:Hackers will then inventory authentication credentials further and look for potentially lucrative accounts. Government and military addresses are very valuable, as well as company email addresses and passwords for large corporations. Since people often re-use their passwords, hackers can often use credentials for military or corporate accounts to target other companies. For example, Dropbox was breached in 2012 using credentials stolen in the LinkedIn data breach earlier that year. A hacker may plan such a hack himself, or he/she may sell the credentials to others on the dark web for a much higher price.
Offload the cards: Financial information like credit card numbers are packaged and sold in bundles. An individual with the right knowledge could easily buy credit card information in groups of ten or a hundred. Usually a “broker” buys the card information, then sells them to a “carder” who goes through a shell game of purchases to avoid being detected. First the “carders” use stolen credit card to buy gift cards to stores or to Amazon.com, then use those cards to buy physical items. The carder may then sell the electronics through legitimate channels like eBay, or through an underground dark website.
Sell in bulk After several months, the hacker will bundle up authentication credentials and sell them in bulk at a discounted price. By now, most of the credentials are worthless since the company has most likely discovered the breach and taken steps to repair it. For example, a database containing the entire LinkedIn credentials dump is still available.
How to Create Strong Passwords
Why are strong passwords needed?
Good computer security includes the use of strong passwords for all your accounts. Passwords can be the weakest link in a computer security scheme. Strong passwords are important because password cracking tools continue to improve and the computers used to crack passwords are more powerful. Network passwords that once took weeks to break can now be broken in hours.
Password cracking software uses one of three approaches: intelligent guessing, dictionary attacks, and automation that tries every possible combination of characters. Given enough time, the automated method can crack any password. However, it still can take months to crack a strong password.

For a password to be strong and hard to break, it should: Contain 6 or more characters Contain characters from each of the following three groups: Letters (uppercase and lowercase) A, B, C,...; a, b, c,... Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 Symbols (all characters not defined as letters or numerals) ` ~ ! @ # $ % ^ & * ( ) _ + - = { } \| [ ] \ : " ; ' < > ? , . / Have at least one symbol character in the second through sixth positions. Be significantly different from prior passwords.

Try to change your password(s) every 6 months.
When typing in your password, make sure no one is watching you type. Ask anyone around you to kindly look away.

Mark Laliberte - WatchGuard’s own Information Security Threat Analyst says: “Hackers will often start by selling data on military or government accounts,”People are also bad at choosing passwords for individual services and often reuse passwords, which lets hackers try those passwords on the other websites their victims use.”
Password reuse, like what Marc is describing above, can create opportunities for more breaches. For example, Dropbox was breached in 2012 because a Dropbox employee’s Expedia password was stolen in a separate data breach and they reused that password for their work account.
A strong password policy doesn’t need to be the only line of defense to your systems and network. Adding multi-factor authentication creates multiple layers of security to protect users and resources.

What can you do to protect yourself?
Good passwords are critical to information security. Lack of thought in creating password policies increases the chances of unauthorized access or compromised data. The SANS institute recommends that strong password policy include the following characteristics:
Contain a mix of uppercase and lowercase letters, punctuation, numbers, and symbols. Contain at least 15 characters. Be unique from other accounts owned by the user. Never include dictionary words Never include patterns of characters Go even further in your password policy by encouraging the use of pass phrases, which use phrases along with the strong password guidelines to add even further difficulty to passwords being compromised. For example: The phrase “iced tea is great for summer” becomes “!cedTisgr84$umm3R”

The easiest solution - use a password safe
Password safes save your passwords securely, allowing you to save the information on your personal computer without opening yourself up to giving away private information advertently. They can also generate random passwords for each of your accounts. These password safes store all of your passwords in a single account, which has a master password you need to remember. This allows you to use truly random combinations in all of your other passwords, making them much harder for malicious users or bots to crack. Two examples of such services are: LastPass and Password Gorilla.

Change your Passwords Regularly!
The RIT Password Standard requires passwords to be changed annually. . In addition, passwords should be changed: Whenever a malicious program such as a virus is detected or a machine is compromised insome way. If there is a job change (job is completed, job is terminated, or a job transfer changes the need for access). From any default passwords.If they are shared with anyone other than the authorized user(s)

Don't Use your username or any part thereof:
These are the don'ts!
Name(s) of yourself, family, friends, pets, or co-workers Computer terms and names, commands, sites, companies, hardware, or software Birthdays or other personal information such as addresses or phone numbers A set of characters in alphabetic or numeric order (ex. abcdef), in a row on a keyboard (ex. qwerty), or a simple pattern (ex. 123123) Words that can be found in a dictionary Your UCLA ID number, a bank account PIN, credit card number, etc. Any of the above spelled backwards Any of the above preceded or followed by a digit (ex. qwerty1, 1qwerty)

DON’T Reuse passwords. If you do, a hacker who gets just one of your accounts will own them all. (Some systems will not let you reuse passwords.)
DON’T Use a dictionary word as your password. If you must, then string several together into a pass phrase.
DON’T Use standard number substitutions. Think “P455w0rd” is a good password? N0p3! Cracking tools now have those built in.
DON’T Use a short password—no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.

Every extra character in your password increases the difficulty for hackers to crack it!

Multi-factor authentication adds an extra layer of security that is difficult for hackers to crack!

Password reuse, like what Marc is describing above, can create opportunities for more breaches. For example, Dropbox was breached in 2012 because a Dropbox employee’s Expedia password was stolen in a separate data breach and they reused that password for their work account.

A strong password policy doesn’t need to be the only line of defense to your systems and network. Adding multi-factor authentication creates multiple layers of security to protect users and resources.