Sunday, July 15, 2012

Passwords that are NOT a Password

Update June 15, 2013:
I stand by what I wrote here but please read as well my article "Passwords - The Latest".

I stumbled over an interesting web site maintained by security consultant Mark Burnett.  Mark writes extensively about passwords and other computer security related issues.

What intrigued me is the utter ignorance some people show when selecting passwords. Take a look at the this little table with the arbitrarily chosen top 18 entries out of the millions of passwords Mark has analyzed.

The first column lists the actually used password and the second column how often it appeared in the analyzed sample. The obscuring with **** serves to disguise a foul four letter word.

password   32027   
123456     25969   
12345678   8667      
1234       5786      
Qwerty     5455      
12345      4523      
Dragon     4321      
P****      3945
Baseball   3739      
football   3682      
letmein    3536
monkey     3487

696969     3345
abc123     3310
mustang    3289
michael    3249
shadow     3209
master     3182
What I want to emphasize are a couple of facts that by now ought to be common sense knowledge of anybody who uses the Internet:
  1. Never use any word that could be in any dictionary as a password.
    Consider as well dictionaries of nicknames, pet names and common acronyms!
  2. Don't use obvious sequences or repetitions.
  3. Make your passwords long enough. I consider 10 to 12 characters the minimum.
  4. CAPITALIZE some of the letters.
  5. Use one or two numbers.
Please read my May 2012 article about hacked passwords  and my April 2011 article on what to do about passwords that are too simple.

The former article has become even more important after Yahoo admitted that just recently one of their services has been hacked and 450,000 passwords got posted on a publicly accessible web site!

On a side note: For years I have advised my customers to drop their Yahoo email accounts; seems this was and is reasonable advice.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

No comments: