Cybersecurity Expert, Chief Information Security Officer (CISO), and Certified Information Systems Auditor (CISA)

"Speed and simplicity: these are the keywords to overcome the enemy."

IT Security: Passwords FAQs

How to create secure passwords and really capable of protecting sensitive business information? Here are the factors to consider before choosing your own access keys: fundamental elements that, if used properly, can guarantee the highest level of desirable protection.

Passwords encryption

When the primary goal is to pursue corporate IT security, it is necessary to know the details of the password encryption function.

In generic terms, it is enough to know that usually, all trusted sites save the passwords in encrypted keys, encrypting them with a one-way process, which turns them into strings apparently without any logical sense. When the user logs in, the system compares the saved password and encrypts the password in the same manner as it is used to recognize it.

If a server is hacked, the file containing encrypted codes can be downloaded. Using special tools, computer hackers are able to trace original passwords using programs that encrypt a long list of words and then comparing them with the list of downloaded encrypted codes.

If words used by software are taken from multilingual dictionaries or other lists of names, TV programs, songs, movies, etc., these tools can automatically test different combinations-variations of terms in the lists (uppercase-lowercase, plural, adding numbers or symbols before and after the words, etc.), exploiting the ability of modern PCs to test millions of combinations per second.

Complexity and password length

Since entering an upper case, lower case, numbers, and symbols into your passwords forces the hackers to experience an exponential number of combinations before reaching the correct solution, anyone wishing to secure corporate IT security should at least create as complex and improbable as possible codes.

In addition to the difficulty, however, the length of access keys plays a key role: the shortest the secret combination is, the sooner is exposed by computer hackers. To obtain a good level of protection, you must choose passwords of at least 10 characters and add an additional character each year.

Another good advice to generate a good password is to take the first letters of a meaningful phrase and add the initials of the site where the code will be put in for logging and any extra symbols. For example, from the phrase "It's getting darker before dawn," Iigdbd will be extrapolated. These letters can then be linked to "eb" (if the site to access is Ebay) and ##. Result: Iigdbdb##.

If possible, always remember to choose easy-to-type passwords on all devices (computers, smartphones, and tablets) to make it easier to type.

Different passwords

Since we are explaining how to create secure passwords, in addition to what has been said above (creating codes of a certain length and mixing letters, numbers, and symbols), it is also advisable to use different access keys for each service (email, home banking, website accounts, etc.).

Of course, banking portals or other similar platforms provide a good level of security, but if passwords used within such systems are also used elsewhere, they are absolutely vulnerable.

Password Management

Now that I've provided some useful tips to create safe enough codes, I'll spend a few more words to explain how to handle your passwords in time:

  1. use a software (password manager) to manage secret codes: an extremely useful tool that allows you to store the keys automatically and prevents typing them on the keyboard all the time. These programs should be chosen by comparing the functionality and user reviews. 
  2. Warning: Before deciding what to install, make sure that the selected version supports both desktop and mobile operating systems;
  3. modify your codes periodically (once a year can be enough for private passwords, but when it comes to corporate passwords, it's best to change them more frequently);
  4. if it is necessary to create a file containing the updated passwords and hide it in a secret location that no one can ever access;
  5. create a list of sites to remember to change the access keys (change them all together so you do not forget about them);
  6. unless you work alone, you should set up a policy to manage and update your corporate passwords.

These are my tips to ensure corporate IT security: simple but effective tips to put in place every day to protect sensitive business data.

John Giordani
Cybersecurity Expert, Chief Information Security Officer (CISO), and Certified Information Systems Auditor (CISA) ​