For those on our Security Alert and Update list we just emailed this great article by Graham Cluley on the worst possible passwords you could ever choose. Many of you know this is something we preach to our clients on a regular basis and is part of our comprehensive 4E Program.
Too many internet users are making poor decisions when choosing their passwords. We’ve spoken time and time again about the importance of choosing hard-to-crack, unguessable, unique passwords that (provided the website you are using looks after its databases properly) will make life very difficult for password crackers. And yet, people continue to use passwords that are – quite frankly – dumb, and then compound the problem by using the same simple password in multiple places.
Scandinavian security blogger Anders Nilsson spent a little time with the Pipal password analyzing tool, running it against the 450,000 plaintext passwords snatched by hackers from Yahoo Voices.
And what he found doesn’t inspire much confidence that users are getting the message about password security.
Repeat after me. “A password of ‘password’ isn’t actually a password.“
And neither is “123456” or “welcome” or “qwerty” going to prove anything of a challenge to a hacker.
The fact is that every time password lists are stolen and published on the internet, hackers add them to their own databases for their password crackers to try next time they want to break into an account or crack a hashed password.
Your passwords need to be unique, and hard-to-crack. That means not using dictionary words anymore, and not imagining that no-one else in the world has thought of “qwertyuiop” or “password1234”.
The typical response from the average internet user is “But how will I remember all these different, complicated passwords?” Simple. Use a decent password management program. There are a few to choose from, and some of them are even free. Software like 1Password, KeePass and LastPass can remember all your different passwords on your behalf, store them securely, and even generate complicated passwords for the next website you join.
Clearly the responsibility isn’t all in the court of the user, however. Not only should websites take greater care about securing users’ information (for instance, not storing passwords in plain-text or as unsalted hashes), but they could also do more to ensure that users choose trickier passwords.
I’d like to see more websites check the passwords chosen by their new users, by running them against a database of commonly used passwords and a dictionary.
If the password users enter is too common, or an obvious sequence, or doesn’t obey sensible password rules about complexity or length, then it should be rejected and the user told to try again. When websites tell you to change your password following a security breach, they should also tell you to choose a hard-to-crack, unique password. Otherwise, what’s to stop the new password being “abcdefg”?
It would be a safer world if websites policed the passwords that are submitted by users, and weak choices thrown out.
And it’s not just users who need to have strong passwords. The website’s staff need to have sensible, hard-to-crack passwords as well.
In early 2009, for instance, a hacker was able to break into Twitter accounts belonging to celebrities because he had broken into Twitter’s administrator’s console.
How did the hacker manage that?
The Twitter employee was using a password of “Happiness”.
Here’s a YouTube video I made a while back showing how to choose a hard-to-crack but easy-to-remember password. It also explains how password management software programs like 1Password, KeePass and LastPass can help you remember all your different passwords.
If you already know this about passwords – great! But be a good Samaritan, and share the advice with your family and friends.
We need to get everyone to understand the importance of better password security.
Yes, even the “princesses” and “ninjas”.