FBI Portland
Beth Anne Steele
(503) 460-8099
January 19, 2021

Oregon FBI Tech Tuesday: Building a Digital Defense with Strong Passphrases

Welcome to the Oregon FBI’s Tech Tuesday segment. Today: Building a digital defense with smart passwords and passphrases.

Last week, we talked about how bad actors are using stolen email passwords to gain access to smart home devices—think of items such as surveillance cameras and internet-connected doorbells. They are using that access to make 911 calls to law enforcement, resulting in a mass response—including SWAT teams. The best way to protect yourself is to use complex passwords or passphrases for online accounts, and don’t reuse passwords across different accounts.

The start of the new year is a great time to look at the passwords you use and make some easy—but consequential—changes.

Rule number 1 – Make sure, at the very least, that your email, financial, and health accounts all have unique passwords or passphrases.

Rule number 2 – Make sure your password or passphrase is as long as the system will allow.

Rule number 3 – Creating new passwords doesn’t have to be super complicated… just make sure they are complex. One easy way to do that is to create a passphrase. Pick a string of words that only you would associate with each other.

For instance, picture a scene that is unique to you such as your backyard and put those thoughts together. “Broken oak tree with fence needing staining overcome by snails and moss” can become “brokenoakstainsnailsmoss”. That’s 24 characters. Add in a capital, special character, and a number and you just made your passphrase even stronger, but still easy to remember: “Brokenoak$tainsnailsmo55”.

Make sure you avoid well known strings of words that other people would put together—such as the colors of the rainbow or the name of a popular book.

Rule Number 4 - A password or passphrase is only the first piece of what’s called multi-factor authentication (or MFA). To keep yourself safe, you need at least two—preferably more—pieces to that MFA puzzle. Here’s an easy way to remember what multi-factor authentication includes:

  • Something you know (passphrase or password)
  • Something you have (such as a randomly-generated PIN texted to your phone)
  • Something you are (such as face or fingerprint imaging)

Finally, consider using a reputable password manager. A manager is a program that saves all of your passwords locally or in a cloud vault, and all you have to remember is that one, very complex master passphrase. As with everything, there are no guarantees of 100% safety, but the more roadblocks you can build, the safer you likely will be.

If you believe your email or other smart device credentials have been compromised, you should report the incident to the FBI’s Internet Crime Center at www.ic3.gov or call your FBI local office.