 | ARE YOUR PASSWORDS PROTECTING YOU? | | | | Making them difficult to break ... | Posted by Andrew Spencer on 11/01/2012 @ 09:00 |
How sure are you that your passwords are secure? How easily can they be broken? Do you use the same password for multiple websites - for banking, shopping and email? It is remarkable how predictable we are in creating passwords and how easy they are to break ...
 passwords are designed to protect you so you should make them difficult to break
Analysis in the United States of a list of 6,000,000 unique username/password combinations - drawn from what is stated to be publicly available sources - shows that the top 10,000 most common passwords (counting the number of different usernames with the same password) account for 99.8% of all passwords used! Believe it or not the most common password is "password", followed by "123456". Predictably "qwerty" is also in the top five.
The statistics show that 4.7% of users have the password "password" and just under 10% have the passwords "password", "123456" or "12345678". 79% have a password from the top 500 passwords and a whopping 91% have a password from the top 1,000 passwords. How easy does that make the hackers work?
The author of this analysis does point out that whilst the top 10,000 passwords are used by 98.8% of users there are over 2.3 million unique passwords (99.6% of the total) remaining that are in use by only 0.18% of users!
How do you measure the strength of your password and what constitutes a strong password? To measure the strength of your existing passwords there are sites that will analyse them and tell you where they are weak. Use these sites with discretion and certainly don't use them if any identification is asked for. One site I have used is www.passwordmeter.com. This gives a good and instant analysis.
Here are some tips for creating a strong password:
Include punctuation marks and numbers, Use upper and lower case letters, The password should be at least 14 characters (if allowed), 12 if you have to. The oft-stated best practice of 8 characters is too short and easily cracked.
And tips for what not to do:
Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames (an absolute no!), relative or pet names, romantic links (past or present), or biographical information. Whilst it is often suggested to substitute numbers for letters in the word or string you use for your password, e.g. a "3" for an "e", this is apparently easily cracked now. Don't use the same password for multiple sites that are sensitive, e.g. the same password for email and for banking. Anything to do with money, shopping or banking should have a unique password for each site. Don't use a password that has been quoted as an example of good practice. Don't use keyboard patterns, the obvious ones from the stats above being "qwerty" and "123456" if these sequences constitute the whole password (as part of a broader password they will work as will dictionary words). There are of course many possible keyboard sequences. Don't make your password all numbers, lower case or upper case letters - mix them up.
In addition to the above there are things you should not do like tell anyone what your password is, nor write them down. The latter may be hard to contemplate when you have so many passwords. I use an innocuously named, password protected, spread sheet for most of my passwords (even then there is only a prompt for the password) and remember the most sensitive without writing them down. Finally do not ever email a password. Very little email is encrypted. It is scary to see so many passwords emailed by companies where they have labelled the password as such!
Randomly generated passwords are good if you are developing websites but of course users don't like them and will replace them with ones they can remember. Often the advice from customer support is to change the password - I know because I have done this myself in the past. It is easier than constantly having to re-issue randomly generated ones! Enforcing the above tips through good software is probably a better route to go and it is worth including a strength indicator at the time the user creates their password.
One final point about passwords. Quite a few companies enforce repetitive change of users' passwords - on say a quarterly basis - to reduce the incidence of password sharing primarily. Whilst it has that beneficial effect it could also be argued that that it encourages the user to create weaker passwords (for speed and convenience) that are easier to break. Changing the password on this basis does not protect the user from hacking as the hacker will typically use the cracked password immediately.
There is a lot to think about here both from a personal point of view but also from the corporate perspective. If you are responsible for your businesses security this is just one thing you need to think about - but tricky to get right - and it is very hard to enforce sensible levels of password strength.
If you'd like some advice about your organisations password policy, please call me on +44 (0) 1908 565460
Until next time ... 
ANDREW SPENCER
PS. Stats above are courtesy of Mark Burnett, xato.net
|
 | During Andrews extensive business career he has worked in a wide cross section of companies, specialising in the creation of contact centres and business systems, software development, telecommunications and project management. Andrews key skills are:
Business planning and strategy
Matching technology to business needs
Project management
Software development and implementation
Designing and implementing business systems
His work has included sourcing and implementing a new integrated telecoms system for National Energy Services, designing and project managing a new IT and telephony structure for the Greyhound Racing Association, and directing technology development for Wembley plc.
|
|
|
