Using Linguistic Phonetics for Secure Passwords

Video: Using Linguistic Phonetics for Secure Passwords

Secure Passwords and Linguistic Phonetics

Armed with knowledge of linguistic phonetics you’ll be able to create lengthy and secure passwords. These secure passwords qualify for any of the cybersecurity frameworks. It will also allow you to easily remember the password without having to write it down.

The Human Condition

We first took a look at the “human condition”. We wanted to know what, how, and how many phonetic segments a human could recall. It turned out that the number was seven. However, the methodology described in the video above makes use of five phonetic segments. Five allows us to have a password length ranging from anywhere between 20 and 25 characters. That’s a big win!

Human Memory

Short term memory lasts for seconds to hours. Long term memory lasts for up to years. Working memory allows us to keep something in our minds by repeating it over again and again.

In this use case we want our passwords to enter what is called, our non-declarative or implicit memory. Here we will be able to recall something without much of a thought. This is akin to muscle memory.

Some Password Requirements Make Matters Worse

The NIST has noted that the random algorithmic complexity of passwords is making matters worse. How so? Users who are required to apply a mix of characters, case, numbers and symbols are merely replacing letters with their alternative and comparative counterparts. An example would be replacing the letter “E” with the number “3” or replacing the letter “I” with the number “1”.

Also making matters worse, are the requirements to change the password reset intervals. The 90 day interval is a typical requirement. This is forcing users to create simple and insecure passwords. They create these passwords with the idea that they will have to change it in a relatively short amount of time.

The NIST has thrown out these two requirements.

Screening Passwords

The NIST recommends screening your passwords. However, we need to express a level of caution here. A website that allows you to screen a password against a list of known breached accounts may, very well, be collecting the password you are attempting to screen. If you do screen a password it should be done merely to check if a password you once used was part of a breach.

Use Phonetic Segments to Create Secure Passwords

Rather than to rely on a screening website, generate a password using phonetic segments. You may assume that your password is unique given the level of complexity that’s inherent in the use of phonetic segments. No dictionary attack will defeat your password.

What is an example of a password generated with phonetic segments? We’ve created one below. Take a look and take note of the segments.

Secure Passwords
A Secure Password Using Phonetic Segments
  • 5 phonetic segments;
  • 24 characters!;
  • No dictionary words;
  • No comparative character to number replacements;

A Secure Password Strategy

  • Use password screening technology against a deprecated password. Cyber-criminals maintain dictionaries of known passwords.  Verify that your old password has not been exposed in a breach;
  • Implement password expiration’s yearly. Do not force the 90 day reset interval;
  • Do not use dictionary passwords;
  • Your password should be unique for each platform, service, or account;
  • Use a secure and encrypted open-source password manager to keep track of your passwords;
  • Never accept when your browser(s) offer to remember your password;
  • Target implementing a password with at least 20 characters;
    • Achieving lengthy passwords can be done by using linguistic phonetics. Always consider incorporating phonetic segments and non-comparative alternative characters, such as numbers or symbols, to generate a lengthy, complex, and secure password;
    • A human can easily remember 5 phonetic segments. This will result in 20 characters or more.
    • 7 phonetic segments is typically the maximum a human can remember.
  • Allow for 10 attempts before lock out an account and/or force a password reset;
  • Requesting password hints or questions should not be used.  They are typically too easy to guess;
  • One-time passwords sent over SMS is not recommended.  Use an authenticator application.

Sources

Interesting Articles

Related Articles

Our Corporate Facebook Policy

It recently came to my attention that someone posted a strange comment on a Facebook post I had created that had the audience set by default as “Friends”. After noticing this comment by this person that I did not recognize as someone I knew I checked the audience for the post and it was, in fact, set as “Friends”. I was left confused because I attempted to click on the name of the person who made the post and the it was not clickable indicating no link actually existed. I then searched her by name and the profile did not come up in the results. Again, I was left confused. I had the impression that someone who was not a “Friend” on my Facebook was somehow able to post a comment and subvert Facebooks security.

Secure Data Wiping & Destruction

Data wiping is an important part of a businesses information security program. For those in compliance with federal regulations and have a Written Information Security Program (WISP) it likely includes the procedures and processes for data wiping and scrubbing of files, directories, partitions and storage devices. Personally Identifiable Information (PII) is most often stored on digital media. Payment Card Information (PCI) is also likely to be stored on your drives. Due to the sensitive nature of this data one must destroy storage media properly. They must do so to be in compliance with federal and state laws. While the law mandates the proper destruction of data storage devices it is left unclear as to what constitutes “proper”. This article attempts to define a process that meets and exceeds what is expected by regulators.

Our Charitable Causes: Restoration Gloucester

On July 20th, long time and well known Gloucester residents living in the historic Portuguese Hill area received a letter from a neighbor. The letter had no return address. It read, “Please Paint Me! 🙁 Eye sore – Your Neighbors. Thanks”.

The neighbors were unaware of the circumstances that lead to having to forgo repairs to their home. The house has been in the family for more than 75 years and is the current home to Jimmy and Marilyn Curcuru. Their daughter and mothers caretaker Lynanne also lives in the home. Marilyn is wheelchair bound and has been battling MS for almost 30 years. Jimmy recently recovered from a quadruple bypass. This loving family is well known in Gloucester and most know the hardships they have faced.

The Facebook and Apple Dispute

At Cyber Defense Contractors we are keenly focused on the privacy of users. With that said, we wanted to clarify a statement made by Facebook CEO Mark Zuckerberg. We feel it was a desperate statement intended to mislead subscribers to convey a situation that generally does not exist.

FTC June 2015 Guidance on Data Security

Make reasonable choices based on the nature of the business and the sensitivity of the information involved; Keep only what you need for your business; Protect what you keep; Properly dispose of what you no longer need;
Create a plan to respond to security incidents.

Facebook Account Hacked?

Some will fall victim to a hacked Facebook account. We’ve fallen victim before. It’s not too uncommon. Matters are made worse if you no longer have access to your page. It becomes increasingly worse when you no longer have access to the email associated with the account. So how is one best to proceed? Your focus should be on protecting yourself as much as it should be about stopping the cyber-criminal. It’s important to get the incident on file with your local law enforcement agency. Do this immediately. Any actions that this individual takes while having control of your account will be associated directly with you.