This is one of a series of articles with suggested resolutions for the new year. See the other suggested resolutions.
In today’s world of online banking, online commerce, online social media, and online just-about-everything, chances are you have lots of online accounts. And chances are that you use the same username and password a lot. That’s a really bad practice.
SplashData has released its annual list of the worst online passwords. More people use the word “password” for their password than any other word or phrase. That makes “password” the absolute worst string of characters you can chose to protect your online accounts.
Here’s the top 10 list:
- password
- 123456
- 12345678
- abc123
- qwerty
- monkey
- letmein
- dragon
- 111111
- baseball
Seriously folks? We care so little about protecting our online bank accounts or other accounts that have sensitive information, including credit card numbers?
Start taking simple steps to protect your accounts by using stronger passwords and using different passwords for different websites.
- Never use a word or combination of words that can be found in a dictionary.
- Never use your mother’s maiden name, the name of your pet, the name of your spouse, or any other easily-guessed words.
- Never use the same password for your bank account that you use anywhere else.
- Do use strong passwords — 8 or more characters with mixed uppercase and lowercase and at least one number or special character (like #@~}[`^|).
- Do use different username/password combinations on different websites. Especially risky is using the same password for entertainment sites, email, social networking, and financial services.
Having trouble remembering all those different passwords? Try using a password manager application that organizes and protects passwords and can automatically log you into websites. An alternative is to come up with a personal system that uses the same base password, but adds difference prefixes or suffixes to the password and/or username for different sites. Others like to use abbreviated scripture references.
Using a password management application is a great idea, but if one wants to memorize passwords, it is often helpful to think of them as “passphrases” instead of “passwords”. In fact, many applications for software developers have done this for years because it encourages enhanced security. Using a long, easily-memorable password comprised of unrelated words, like “battery horse staple correct” or “I love to see the walrus, I’ll arf with him someday” provides much better entropy and takes a computer much longer to guess than any random password of memorable length. The only issue with this is that some sites actually have counter-productive password requirements that do not allow dictionary words to appear in any arrangement, limit character lenght, or impose other restrictions that are not applicable if you’re using this strategy.
It is of course also a great idea to use a different password for every site, so it may be helpful to make one of the words in your passphrase mutable for the specific site you’re signing up to use.
This is an excellent helper and best explanation I have found to give to users to support better passwords. (Indirectly referenced by Jeff)
http://preshing.com/20110811/xkcd-password-generator
I’m going to second what Jeff and Derrick have already said. Even though the pass phrase technique is contrary to the suggested “Never use a word or combination of words that can be found in a dictionary” it still tends to be a good approach.
On password length – “8 or more characters” – probably isn’t enough. If the service happens to be using something like sha1 or md5 (which they shouldn’t but some do, like LinkedIn) then there are existing systems that can run billions of attempts per second – http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/. Ultimately an attack system like that will be able to come up with the original password (if they acquire the hashed password list), but you can at least make it a bit harder by having a much longer password, say 15 characters or more.
On the other end of the password length issue keep in mind that good password hash systems, like bcrypt, have an effective maximum length as well. In the case of bcrypt that is 72 characters.
Even scarier than that though is that there are still systems out there that store your password in plain text (some much closer to you than you’d think). For those places none of these suggestions will protect you from internal employees who can copy the plain text version of your password at their leisure.
Here’s another good article on the subject: http://www.baekdal.com/insights/password-security-usability