Secure Passwords and Linguistic Phonetics
Armed with knowledge of linguistic phonetics you’ll be able to create lengthy and secure passwords. These secure passwords qualify for any of the cybersecurity frameworks. It will also allow you to easily remember the password without having to write it down.
The Human Condition
We first took a look at the “human condition”. We wanted to know what, how, and how many phonetic segments a human could recall. It turned out that the number was seven. However, the methodology described in the video above makes use of five phonetic segments. Five allows us to have a password length ranging from anywhere between 20 and 25 characters. That’s a big win!
Short term memory lasts for seconds to hours. Long term memory lasts for up to years. Working memory allows us to keep something in our minds by repeating it over again and again.
In this use case we want our passwords to enter what is called, our non-declarative or implicit memory. Here we will be able to recall something without much of a thought. This is akin to muscle memory.
Some Password Requirements Make Matters Worse
The NIST has noted that the random algorithmic complexity of passwords is making matters worse. How so? Users who are required to apply a mix of characters, case, numbers and symbols are merely replacing letters with their alternative and comparative counterparts. An example would be replacing the letter “E” with the number “3” or replacing the letter “I” with the number “1”.
Also making matters worse, are the requirements to change the password reset intervals. The 90 day interval is a typical requirement. This is forcing users to create simple and insecure passwords. They create these passwords with the idea that they will have to change it in a relatively short amount of time.
The NIST has thrown out these two requirements.
The NIST recommends screening your passwords. However, we need to express a level of caution here. A website that allows you to screen a password against a list of known breached accounts may, very well, be collecting the password you are attempting to screen. If you do screen a password it should be done merely to check if a password you once used was part of a breach.
Use Phonetic Segments to Create Secure Passwords
Rather than to rely on a screening website, generate a password using phonetic segments. You may assume that your password is unique given the level of complexity that’s inherent in the use of phonetic segments. No dictionary attack will defeat your password.
What is an example of a password generated with phonetic segments? We’ve created one below. Take a look and take note of the segments.
- 5 phonetic segments;
- 24 characters!;
- No dictionary words;
- No comparative character to number replacements;
A Secure Password Strategy
- Use password screening technology against a deprecated password. Cyber-criminals maintain dictionaries of known passwords. Verify that your old password has not been exposed in a breach;
- Implement password expiration’s yearly. Do not force the 90 day reset interval;
- Do not use dictionary passwords;
- Your password should be unique for each platform, service, or account;
- Use a secure and encrypted open-source password manager to keep track of your passwords;
- Never accept when your browser(s) offer to remember your password;
- Target implementing a password with at least 20 characters;
- Achieving lengthy passwords can be done by using linguistic phonetics. Always consider incorporating phonetic segments and non-comparative alternative characters, such as numbers or symbols, to generate a lengthy, complex, and secure password;
- A human can easily remember 5 phonetic segments. This will result in 20 characters or more.
- 7 phonetic segments is typically the maximum a human can remember.
- Allow for 10 attempts before lock out an account and/or force a password reset;
- Requesting password hints or questions should not be used. They are typically too easy to guess;
- One-time passwords sent over SMS is not recommended. Use an authenticator application.
- Web Server Cyber Attack
- United States Data Breach Notification Laws
- The State of Broadband 2020
- FTC June 2015 Guidance on Data Security