Hey, Is This Your Password?

Category: Security

According to a study that was just released, there's a 40 percent chance that any hacker could guess your password without breaking a sweat. Read on to find out if you're using one of the 25 most common (and easily guessed) passwords, and how to create strong, secure passwords that can't be hacked...

Is Your Password Protecting You?

Mark Burnett is an IT security consultant who says "I love writing about passwords." He's even written a 177-page book entitled, "Perfect Passwords." Somehow, Burnett has amassed a collection of over 6 million usernames and passwords (legitimately, I presume). In short, Mark Burnett is something of an authority on passwords.

In massaging his password data, Burnett found that people are basically lazy and stupid. They keep choosing the simplest, most obvious passwords over and over again. Here are some interesting facts gleaned from Burnett's data:

Unbelievably, 4.7% of users have the password "password". In the "Not Much Better" category, about 10% are using either "password", 12345, 123456, 1234567, or (can you guess the next one?). Fourteen percent have a password from the top 10 passwords; 40% have a password from the top 100 passwords; and 91% have a password from the top 1000 passwords.
Weak Passwords

And in case you're wondering whether your password falls into the "Lazy and Stupid" category, here are Burnett's top 25 most common passwords:

password 123456 12345678 1234 qwerty
12345 dragon pussy baseball football
letmein monkey 696969 abc123 mustang
michael shadow master jennifer 111111
2000 jordan superman harley 1234567

These 25 passwords are used by about 40 per cent of users, according to Burnett. That's pretty shocking, don't you think? Hackers know these facts as well as security consultants do, if not better. Given a 40% chance of cracking your password in just 25 guesses, a hacker has things pretty easy. If any of your passwords are on this list, you had better change them immediately.

Time To Change Your Password

Recently, Russian hackers obtained over six million LinkedIn passwords, and posted them online. Other popular sites, Last.FM and eHarmony have also been affected. So now is a REALLY good time to change your passwords, and to make sure they are secure enough.

You should also be aware that using the same login and password for all your online accounts is a bad idea. If just one of them is compromised, you've handed over the keys to your kingdom. Imagine the damage that someone could do if they had the login credentials for your email, your Facebook account, and your online banking. Now think how much worse it could get if they also had the keys to your online backup, where all your personal files are stashed away.

Now I understand that you want a password that you can remember, and you don't want to be bothered with typing a long string of nonsense every time you login to a website. And yes, it's a hassle to maintain different passwords for all the online services you use. But secure passwords for all your online accounts is a must.

Fortunately, you don't need a 24-character password composed of hieroglyphic characters. A memorable phrase, or at least 12-character password will protect you quite well. And there are tools to help you generate and manage secure passwords that you don't even have to remember.

You could buy Burnett's book (used copies are going for under $3 on Amazon), or you could read my pithier guide to creating a good password Is Your Password Hacker Proof?.

Have you been hacked because of a weak password? What's your password strategy? Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 13 Jun 2012


For Fun: Buy Bob a Snickers.

Prev Article:
Revealed: Macbook Pro with Retina Display

The Top Twenty
Next Article:
Warning: Skype Urgent Online Repair Scam

Most recent comments on "Hey, Is This Your Password?"

(See all 22 comments for this article.)

Posted by:

Richard
13 Jun 2012

I have a nice easy password for sites that I don't really care about but require a login. It's not one of the 25 but it wouldn't take a cracking programme long to get it from a hash.

Then I have a more secure password for sites I need to get to and need to remember.

Then I have a secure passphrase to a password store for most of the other passwords. This password store generates passwords for sites that I don't know and would never remember. It fills them in for me and I can get to the "vault" if I need to cut/paste.

Finally banking and similar have other access means kept completely separate. Banking site also has a 2 factor scheme to make payments/changes and the like using smart card reader.


Posted by:

Dee
13 Jun 2012

I can't give you a hint on how I create my passwords, that would go against the point of the atricle!


Posted by:

Matt
13 Jun 2012

I will admit I use the same set of 4 or 5 passwords for multiple sites, and I do feel my passwords are pretty strong and hacker proof, but I also think banks and other websites are getting smarter about logging into their website even with the correct password. For example my bank will require security question answer if the login is from an IP I havent used before. I also have 2-step verification set up with all of my GMail accounts, PayPal account, and Facebook account. I believe Google's approach to the 2-step verification is the best by working in conjunction with an Android app that generates a unique 6 digit code that changes every 15 seconds.


Posted by:

Paul
13 Jun 2012

I use Roboform to randomly create and save my passwords and change them from time to time. So far so good.


Posted by:

Jay
13 Jun 2012

I use KeyPass to create and store passwords for sites that need Jay-only access -- banking sites mostly. For those sites where "cracking" my password wouldn't create a problem for anyone -- the Merriam-Webster dictionary site, for example, I use a handful of six- to eight-letter passwords.


Posted by:

sirpaul2
13 Jun 2012

It really doesn't matter how long and strong your passwords are unless you're only worried about 'brute strength' attacks.
You also must take precautions 'how' you enter your passwords due to the following:
1) Keystroke loggers (captures standard keyboard entries)
2) Clipboard loggers (captures standard 'Drag & Drop' methods)
3) Screen loggers (captures mouse movements on most standard virtual keyboards)
4) Password field loggers (plenty of programs can 'look' under the 'asterisks')

It pretty much boils down to "If you build a bigger wall, they will build a bigger ladder" (and bigger walls usually means there's a bigger treasure).

I'm not saying password strength is unimportant, but also make sure you don't 'give' your password away.


Posted by:

JOHN
13 Jun 2012

i HAVE A FRIEND WHO USES [OR DID TILL I PUT HER WISE] HER POST [ZIP CODE]CODE AND AM SURE SHE WAS NOT ALONE


Posted by:

Ed
13 Jun 2012

The best way to develop a great password is found at https://www.grc.com/haystack.htm. Steve Gibson of Gibson Research has received much recognition in the world of online security. His "Needle in a Haystack" method is secure and easy. Go to his site and read (or listen) about it...you'll be amazed.


Posted by:

Lee McIntyre
13 Jun 2012

I use a simple system to create a different password for every site. I can use the system to recall passwords even when I'm at computers I don't own - without having to reference an online resource or carry around a thumb drive.

1. The first portion of my password doesn't change from site to site. It's a 8-character combination of letters and numbers, with random letters capitalized: ECaMo2HP. It's based on the phrase, "Extra Catchup and Mustard on 2 Hamburgers, Please." Create something that's easy for you to remember.
2. The second portion of the password is different for each site. It is based on the PROMPT in the password sign-in window. Example: The Gmail prompt is: "Sign in Google." The prompt for my bank is: "Enter your online ID." I take the first six characters of this prompt and this becomes the second portion of the password, except that I enter all the characters in lower case, except that I always capitalize the third and sixth characters. Finally, I always enter a 5 after the fourth character.

The result is a strong password I can reconstruct simply by looking at the prompt in a site's sign-in window.

Based on all this, the password for my Gmail site is:

ECaMo2HPsiGn5iN

My bank password is:

ECaMo2HPenTe5rY

All you need to remember is the first letter of each word of your root phrase, "Extra Catchup and Mustard on 2 Hamburgers, Please," with capitalization the way you were taught for "Book Titles" in grade school.

Then you need to remember your simple rules for making the password unique for each site: Number of characters to take from the sign-in prompt; which ones to capitalize, and what digit to insert, and where. That rule never changes, so after a few days, you've got it memorized.

But, to guard against forgetfulness caused by old age or something, I recommend writing down your algorithm as follows: Put the first half - the "root" rule - on a scrap of paper in one location in your home, with no indication of what it means. Put the "second" rule on a different scrap in a different location.

Okay, so did I REALLY give you my passwords? Of course not! I only gave you my system.

My "root" is different from the example I used. It's a different length, with a different phrase as its base.

I don't use the first six characters from each sign-in prompt. I use a different number of characters.

And I don't capitalize them exactly as I described.

Finally, I don't enter a five after the fourth character. I enter different numbers (more than one) in a different spot.

The point is, it's a system you can learn in a matter of days. It gives you a different password for (almost) every site, and you don't have to depend on a password repository.

PLUS, you can change your passwords rather easily, every 90 days or so. Just tweak one of the rules slightly, and you'll create a whole new set of passwords based on the new rule.


Posted by:

Chas
13 Jun 2012

I recently read where someone uses the serial number off a dollar bill -- unique, repeatable and easy to change.


Posted by:

Buffet
13 Jun 2012

Bob, where I live (not willing to divulge, so as not to offend anyone) most people seem to have a working vocabulary of little more than twenty-five words! That's actually embellishing very little. That said, I simply select obscure words I seldom hear, and I would NEVER use that online backup rubbish. I can't imagine why anyone would?


Posted by:

Joel Bown
13 Jun 2012

Hacking/guessing passwords could be all but eliminated if the security people would not allow unlimited attempts for logging on. A simple change would be to allow say three tries, then suspend the account for a couple of minutes, then allow three more tries. It would give the true owner time to remember or look up their password and would take hackers so long to try multiple guesses they would probably give up or move on.


Posted by:

drew
14 Jun 2012

I actually appreciate idiots who use "password" and the like in 2012 because they protect me. Hackers are like any other criminal. Always go for the easy targets. If they had to constantly crack 20 digit alphanumeric codes, there wouldn't be much hope for the rest of us.


Posted by:

Dan Morrow
14 Jun 2012

I have been testing new passwords on the w.passwordmeter.com site to see how effective they might be. Of course I want to be sure their formula is effective as a means to stifle hackers!


Posted by:

Garrett
14 Jun 2012

I use a couple of passwords that are from a language spoken by only a few hundred people in the world. Any password can be broken by a good hacker but mine will not make it easy for them. And I also have variations of each.


Posted by:

Dave H
14 Jun 2012

A good strategy, which an it tech suggested to me a few years ago, is too think of a favourite poem or song , e.g The Beatles- Hey Jude. You then use the 1st letter of each word, substitute some similar numbers for letters, and put in a few capitals for good measure, and bish bash bosh there you go. e.g the line 'hey jude dont make it bad take a sad song and make it better' could generate a password like hjdDm1bTA5sam18. As your using mnemonics the password is really easy to remember also. I have five or six of these on the go at the moment.


Posted by:

Rick
15 Jun 2012

I developed a code sequence of caps, letters, numbers and symbols to pw all my logins. I also keep an offline journal so I can look up any of those pws as well as CD Keys for varios apps, So far, I haven't been burnt but one never knows, so I change the passwords often, keeping within the code structure but never a similar pw. The journal keeps me from "getting lost".


Posted by:

Stauf
19 Jun 2012

Something to keep in mind when choosing a password is,
"avoid using a word that's associated with you in some way."

Remember way back when heir-head heiress, Paris Hilton had her cellphone hacked? That was due to her lapdog companion "Tinkerbell" that she spoke of constantly and took with her everywhere.

Someone guessed that she would use that as her password, and they were right.

After they got her info they posted it online and many of her celeb friends got calls and emails from total strangers.


Posted by:

Anuraj
22 Jun 2012

A reasonably long phrase is impossible to crack with brute force, even if it contains only lower case letters and dictionary words.

it could be anything like 'expedition to the north pole' (without the spaces)

just make sure you dont name your pet dog "north pole" ; )


Posted by:

Jeff
16 Oct 2012

I have used a free program called PINs for years. I store all my passwords, pins, security questions and anwers--everything in it. It has a swipe function so most of the time you do not even have to type your password to get into a site. PINs uses a secure 448 bit Blowfish algorithm to ensure the data are not crackable. You can get it here:

http://www.mirekw.com/winfreeware/pins.html or just Google PINs passwords.


There's more reader feedback... See all 22 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- Hey, Is This Your Password? (Posted: 13 Jun 2012)
Source: https://askbobrankin.com/hey_is_this_your_password.html
Copyright © 2005 - Bob Rankin - All Rights Reserved