Cracking the Password Code…So Hackers Can’t Crack Yours

Remember the sound of Charlie Brown’s teacher’s voice from Peanuts? If you concentrate hard enough, you can hear that “wah wah wah” all over again. Is that the same thing you hear when people start talking about passwords as well? It’s been drilled into our heads and discussed so many times, many of us probably tune out the voice and hear only the “wah wah wah,” causing us to miss important information about password management.

Not to sound like a broken record (or a mysterious cartoon teacher we never see), but password management really IS important. Especially so with the rise of cybercrime, data breaches and hacking schemes in the past few years. And let’s not fail to mention all the scams recently triggered by the Coronavirus. Quite frankly, a world in panic is nothing more than a pristine opportunity for fraudster foes to attack.

But in all the “wah wah wah,” what are the important pieces of information? What will actually help you achieve password royalty that even hackers have trouble cracking? Here are six ways YOU can crack the password code and build a better defense against hacking:

1. Build a GOOD password.

We all know there are a lot of “rules” to good passwords. It goes without saying that a word that is obvious and too simplistic – aka, your kids’ or pets’ names, adjacent keyboard strings (asdfg or 12345) and the old reliable “password” – does not a good password make. That’s easy fodder for the sophisticated hackers of today. Instead, it’s advisable to use a passphrase.

A passphrase is more intricate than just a word with some numbers thrown on the end. It evokes a complete thought that might just be easier to conjure up in your mind when it’s time to log in. But that’s not all a passphrase needs – it should also have a level of complexity to it. That means adding in some not-so-expected characters, letter case combinations, numbers, etc. to make the phrase more difficult to decipher.

As an example, your passphrase might start out as “Lovestocook.” But to make it more complex, it might become “L0ve$2C00k.” Just a few substitutions with numerals and special characters can make all the difference between a bad password and a good password!

Some other things to consider when creating your passwords are length and personal information. These days, most entities that require passwords enforce a minimum length – typically at least eight characters. But word to the wise, more is better. The longer a password is, the less likely it is to be hacked. By the same token, using personal information in passwords is absolutely not recommended. Why? Because a lot of this information is readily available in some form, particularly so since the invention of social media. The bottom line is be cautious and purposeful in your password creation.

2. Utilize a password manager.

Passwords are many. There’s the one for your email, your work applications, your Amazon account, your financial institution…and the list goes on. It’s hard to keep track of them all, especially if you adhere to the idea that you shouldn’t use the same password for every application. (P.S. that’s a good idea…adhere away!) Enter the lifesaver – a password manager!

It’s like a digital lockbox for your plethora of passwords. That way you don’t have your passwords written down or stored in plain sight, and you can be sure that they are organized and secure. There are lots of free online options and even software you can download. Dashlane, LastPass and KeyPass are good password managers, as well as others. To see more password management options, check out this article.

3. Length = life.

As we previously touched on, the length of a password is crucial to ensuring security and complexity, but it also affects the life of that particular password. Let’s explore further. The life of a password word is the number of days you can use it before the system forces you to change or reset it. But the truth is that almost every password ever created can be broken by brute force, or randomly guessing characters and dictionary words, if given enough time and a static password. The more characters you put in a password, the longer it takes for hackers to successfully crack the code with brute force. Therefore, a 12-character password may be able to last 90 days before it is reset. On the other hand, a 32-character password may be able to live 365 days. Passwords are often required to be reset at the end of 30, 90 or 180-day intervals based on their length and the security that the length provides. More recently, though, existing security frameworks and very large companies are starting to adopt the policy of 20+ character passwords that never expire. When it comes to determining the length and life requirements of your passwords, consider your preferences and policies as well as those of your vendors.

4. Know the difference between MFA and 2FA.

You’ve heard of multi-factor authentication (MFA), right? There’s also two-factor authentication (2FA). What’s the difference? It’s actually fairly simple – 2FA requires only two forms of authentication, while MFA is more general, only stating multiple factors are required as part of the login process. Having more than one type of authentication is a way to enhance security for the system, network, what have you that you are trying to access. There are three types of authentication: knowledge, possession and inherence.

Knowledge is something only the user should know, like his or her password. So, yes, passwords are almost always part of the authentication process, no matter how many steps are required. Possession is something only the user has, such as a cell phone that can receive a one-time code for authentication purposes. Finally, inherence is a characteristic or trait that is unique only to the user. These are generally biometric factors, such as fingerprints, retina scans, etc.

In the world of security and authentication, the rule of thumb is the more factors required, the more secure the system will be. Even though passwords are always part of the process, it may not hurt to have additional methods of authentication. That’s where your credit union should be keen on the difference between 2FA and MFA, and can decide if 2FA is sufficient, or if MFA (which usually implies use of more than two factors) is a more secure route.

5. Differentiate passwords in the workplace and personal life.

Passwords are needed in both our work lives and our personal lives for any number of things. However, the two realms should never cross. That’s because what you or your staff do on the internet, on social media, etc. isn’t directly related to what they do at work UNLESS there is password sharing. Say you opened an email on your home computer that contained a malicious link. You clicked the link and it gained access to your system, including your password. Now say that same password is what you use to log in to your workstation in the office. This is a recipe for disaster. Having work passwords versus personal passwords protects one from the other. It won’t be as easy for hackers to breach workplace systems if your passwords differ from those you use for personal activities. Reusing passwords is a security taboo – you don’t want to make the fraud game even easier for attackers. Keep this in mind when developing policies for staff to follow when creating passwords.

6. Push the same password conditions for internal vs. member-facing systems.

All the things we’ve gone over thus far for ensuring password security are the same in the branch or in the members’ hands. Longer, more complex passwords with specific expiration timeframes are needed for both internal and member-facing systems. In other words, if you require your staff to create passwords of 12 characters minimum, using a combination of upper and lowercase letters, numbers and special characters that expire after 90 days, the same standards should be in place for your members. While many credit unions don’t want to aggravate members with the added complexity, it’s a matter of security. At the end of the day, password requirements are in place to safeguard their financial information in the back office and on the front lines.


The truth is, we could go on and on about passwords forever. Things are always changing, as hackers are always coming up with new ways to steal information. That’s been especially true as we’ve been dealing with the Coronavirus pandemic. They are preying on people’s already heightened fear to take advantage and create new schemes each day. Hopefully, the virus and its influx of high-profile scams are leading us away from tuning out the “wah, wah, wah” and showing us that tuning in to the real components of good password management is actually important.

By taking these six suggestions to heart, your credit union can make some significant headway in terms of effective password policies. Learn them, implement them and use them to create a special brand of password sovereignty, a code of your own that even hackers will have trouble cracking!

For more information, please contact the risk management team at riskmanagement@vfccu.org.


Mike Bechtel is an information security analyst for Vizo Financial. As such, he provides incident response planning services, information security risk assessments, security awareness training and information security-related consulting services to credit unions.