Everything requires a password, passcode, PIN number, secret question, or some sort of private thing you need to remember to get into your many different accounts. Coming up with a unique and secure password on the fly that is long, includes capital and lowercase letters, numbers, symbols, signing your soul over to the devil can be difficult! Password hygiene has come a long way, in the sense that most services won’t allow you to continue with creating an account without hitting certain password security requirements.

Many people with an interest in personal password security are also probably very familiar with the popular XKCD: Password Strength

So companies force us to use secure passwords, and we know our passwords shouldn’t be easy to guess…I’ve noticed the general public makes an absolutely GREAT, secure password…but they use that password EVERYWHERE. This defeats the purpose of a secure password.

Your best friend comes to you about her accounts continuing to be hacked. Everything from her Instagram and Twitter to her online banking and investment funds.

Lets look at the D.U.C. Model again: Discuss, Understand, Customize.

D for Discuss: Your friend claims that she has a decently secure password. It’s over 15 characters, good mix of upper and lowercase letters, a number or two, and even a special character. You’re proud of her for having such a great password, but why is it failing her? Some more questioning shows that she uses this one password EVERYWHERE. Any account, service, or product that requires a password, she uses this single password for.

U for Understand: While your friend knew how to create a great password, she didn’t know that she needed to do this repeatedly to stay secure. This is simply due to possibly a missunderstanding or misscomunication on whomever originally taught her how to develop proper passwords. You can show her this missing piece of information by doing things such as running emails and passwords (or her email and password) into a database such as Have I Been Pwned. If she gets a hit, she’ll know that one singular good security move is not enough to be genuinely secure.

C for Customize: Now that you had to scare your friend a bit, you get to teach her how to do a better job next time! If she got a hit on Have I been Pwned, you can go to all of those compromised accounts and change passwords to new secure passwords! You can also teach her the “Passwords are like undwear” guidelines.

Passwords are like underwear. You should change them often (okay, maybe not every day). Don’t share them. Don’t leave them out for others to see (no sticky notes!). Oh, and they should be sexy. Wait, sorry, I mean they should be mysterious. In other words, make your password a total mystery to others.”
– Eric Griffin