FBI Portland
Portland Media Office
(503) 460-8060
February 20, 2018

FBI Tech Tuesday: Building a Digital Defense with Robust Passwords

Welcome to the Oregon FBI’s Tech Tuesday segment. This week, building a digital defense with strong passwords.

If you are like most of the rest of us, remembering the 50,000 passwords you are required to use each day can be overwhelming. So overwhelming, in fact, that many people just use the same password—or a variation of one—over and over again. Regardless of how many special characters, numbers, and capital letters that you put into it—it is still the same password over and over again.

The people at the National Institute of Standards and Technology, an agency within the U.S. Department of Commerce, say that’s not good enough. According to NIST researchers, more than 80% of hacking-related breaches used stolen or weak passwords.

Using the same few passwords over multiple platforms, apps, websites, and the like is dangerous. Even when you are required to change the password every 90 or 120 days, that’s usually not much help because most people just change a single character or add a number at the end of the old password.

So, what does NIST recommend now? According to those government researchers:

Your password needs to be at least eight characters, but generally the longer the better. They suggest using passphrases, not single words. For instance, think of a crazy picture in your head such as “purple cows swim with bananas". You now have a 25-character password that is much stronger than a six-character password with special symbols, numbers, and capitals. And, as a bonus, you are more likely to remember it. Easier for you—harder for hackers.

Focus on your most important accounts—such as your e-mail and bank accounts. Give each of these a unique passphrase.

Don't rely on passwords alone. Two-factor authentication is your friend. This requires something you know—like a password PLUS something you get—like a randomly generated PIN or code sent to your phone or hard token. If you can set one up on any particular account, do so.

Don't want to deal with any of this? Consider using a reputable password manager. That’s software or an app that generates unique passwords for every one of your accounts.

In the end, remember that there is no perfect system, but there are simple things you can do to make it more difficult for hackers to enter your virtual home.

If you have been victimized by an online scam, be sure to report it to the FBI’s Internet Crime Complaint Center at www.ic3.gov or call your local FBI office.