Password stupidity

Shane Richmond wrote in the Telegraph yesterday about some information gained from the recent Gawker Media security breach.

Gawker Media, the publisher of LifeHacker, Gizmodo and a couple of other popular blogs, is the latest major victim of a hackers’ attack. The CMS was compromised and 1.5 million usernames and passwords have been stolen.

Source  CMS Wire

Analysts have taken this data and done, well, some analysis on it.. it appears that from this analysis the most common password was 123456!!! I had heard this fact banded about a few times before but never really took it seriously. I subconsciously refused to believe people could be this stupid. However two other very common passwords in the collection were “password” and “qwerty” which is as equally as stupid as 123456.

What strikes me even more is the fact that many many people use the same password for multiple sites. After the Gawker hacking many people had their twitter and other online services accounts hacked because of this simple lack of security.

There are some basic rules when it comes to passwords and password security and if these are followed:

Keys to password strength: length and complexity

An ideal password is long and has letters, punctuation, symbols, and numbers.

  • Whenever possible, use at least 14 characters or more.
  • The greater the variety of characters in your password, the better.
  • Use the entire keyboard, not just the letters and characters you use or see most often.

Create a strong password you can remember

There are many ways to create a long, complex password. Here is one way that may make remembering it easier:

What to do Suggestion Example
Start with a sentence or two (about 10 words total). Think of something meaningful to you. Long and complex passwords are safest. I keep mine secret. (10 words)
Turn your sentences into a row of letters. Use the first letter of each word. lacpasikms (10 characters)
Add complexity. Make only the letters in the first half of the alphabet uppercase. lACpAsIKMs (10 characters)
Add length with numbers. Put two numbers that are meaningful to you between the two sentences. lACpAs56IKMs (12 characters)
Add length with punctuation. Put a punctuation mark at the beginning. ?lACpAs56IKMs (13 characters)
Add length with symbols. Put a symbol at the end. ?lACpAs56IKMs” (14 characters)

Source Microsoft Online Safety

Also something that is not mentioned in Microsoft’s article is that you should use different passwords for different sites. I appreciate that can mean having many many passwords but even if you group them together in some way, all your social media sites and all your email sites for example, that can a) cut down the number of passwords and b) should one become compromised there are less sites that require new passwords.