Your passwords still suck: a continuation of our conversation

Computer Biometric Finger Scan

Password security is an oft-discussed topic here on Web Watch – we’ve covered it with a list of the most common passwords, how kids select passwords, and how “TIGGER” is not a good password, among other topics.

So when some more password analysis became available due to the recent security breach at Sony, Web Watch felt it was important to share again how bad people can be with picking passwords — which should help reiterate how important it is for our Web Watch readers to have a good password policy of their own. What Troy Hunt found as he filtered through the millions of passwords and logins that became “available” after the Sony event was this:

• Of the top 25 passwords that were in use, some of those included the ever popular:
  • password
  • 123456
  • tigger
  • abc123
  • …and what appear to be various pet names, such as “ginger”, “buster”, “peanut”, “bosco”, and “bailey”
• Password length for the majority of passwords is still within 6-10 characters.
• Passwords still aren’t varied enough with a mix of upper- and lower-case letters, combined with numbers and non-alphanumeric characters.  Only 4% of the passwords reviewed had at least three of those attributes (and therefore, being more secure)

When comparing different hacked password databases, we get the ability to see how common passwords are between multiple systems.  In this case, for users that were identified as having accounts in both databases, 67% had the same password.

Like many things in life (scuba gear, underpants, mouth retainers), sharing isn’t always a good thing.

So what does this mean to you, faithful Web Watch reader?  It’s pretty simple, really, and nothing you haven’t heard us cover here before:

• Use a unique password for every place you log into
• Ideally, the password should be a minimum of 12 characters long and consist of uppercase letters, lowercase letters, at least one number, and at least one non-alphanumeric character
• When looking at your password, there shouldn’t be any part of it that could be found in a dictionary. Make it really really unique.

Having trouble with remembering all these passwords for online stuff?  Get a password manager like 1PASSWORD or similar — let that system manage your passwords for you so you don’t have to.