Loss of Privacy

It seems that people will never learn the value of a good password. For all you dolts out there, stop using “password” as your password!

“Password” ranks first on password management application provider SplashData’s annual list of worst internet passwords, which are ordered by how common they are. (“Passw0rd,” with a numeral zero, isn’t much smarter, ranking 18th on the list.)

The list is somewhat predictable: Sequences of adjacent numbers or letters on the keyboard, such as “qwerty” and “123456,” and popular names, such as “ashley” and “michael,” all are common choices. Other common choices, such as “monkey” and “shadow,” are harder to explain.

Here’s the list:

• 1. password
• 2. 123456
• 3.12345678
• 4. qwerty
• 5. abc123
• 6. monkey
• 7. 1234567
• 8. letmein
• 9. trustno1
• 10. dragon
• 11. baseball
• 12. 111111
• 13. iloveyou
• 14. master
• 15. sunshine
• 16. ashley
• 17. bailey
• 18. passw0rd
• 19. shadow
• 20. 123123
• 21. 654321
• 22. superman
• 23. qazwsx
• 24. michael
• 25. football

The company provided some tips for choosing secure passwords in a statement:

• 1. Vary different types of characters in your passwords; include numbers, letters and special characters when possible.
• 2. Choose passwords of eight characters or more. Separate short words with spaces or underscores.
• 3. Don’t use the same password and username combination for multiple websites. Use an online password manager to keep track of your different accounts.

As usual, these tips can save you a lot of aggravation later. The key is to actually implement and not just read about them. If you don’t make your passwords long enough or secure enough, anyone with minimal knowledge will be able to get into your system.

XKCD has a great comic today about rethinking how you use passwords.

From MetaFilter:

I, on the other hand, think that I will preserve the security of my passwords by not telling strangers on the internet the exact procedure I use to select my passwords.

Actually, for additional security, it’d probably be even more effective to lie to everybody about how I picked my passwords.

So, uh, this is what I do — I count the number of characters in the web site’s address. For example, metafilter has ten letters. This corresponds to Neon on the periodic table of elements. The atomic weight of Neon, of course, is 20.1797, which I spell out using the phonetic alphabet, but, and this is important, not using the commonplace NATO phonetic alphabet, but the US Phonetic alphabet from 1941-1956.

Hence, my metafilter password is TareWilliamOboeZebraEasyRogerOboe etc.

For important things like banking, of course, I transpose some numbers so that if anybody ever cracks the code they will be like “Wait, this guy thinks the atomic weight of Neon is 20.71?! He can’t be a very good chemist, I bet he’s poor, why should I even bother.”

posted by Comrade_robot at 6:13 AM on March 31

It’s something to think about the next time you need to create a password.

Simple tips for better web password security from Sophos Labs on Vimeo.

Graham Cluley, senior technology consultant at Sophos, explains a simple way of creating a complex hard-to-guess password – and how you should never use the same password on different sensitive websites.

Filmed in a mysterious corner of Sophos’s offices in Abingdon, Oxfordshire.

Learn more on Graham Cluley’s blog at http://www.sophos.com/blogs/gc/g/2009/03/10/password-website/

Feel free to embed this video on your own websites/blogs/etc.. If you prefer, it’s also available on YouTube at http://www.youtube.com/watch?v=VYzguTdOmmU

The recent RockYou hack has revealed, once again, why it’s so easy to do such things. People used predictable passwords despite the vast amount of warnings not to.

Sensitive login credentials – stored in plain text – were left exposed because of a SQL injection bug in RockYou’s website. RockYou admitted the breach, which applied to user password and email addresses for widgits it developed, and pledged to improve security in order to safeguard against future problems.

From over 32 million passwords, the results were, sadly, not surprising. The top ten were:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

While the top ten shouldn’t surprise you, the fact that over fifty percent of the passwords used regular names, slang, and common dictionary words should. Even worse, the admins stored the information in plain text, something that should never be done. Hashing the passwords is not difficult, yet RockYou failed to do such a basic task. RockYou also didn’t have simple security protocols in places, such as minimum password length, and alphanumeric passwords.

Users should be looking to create more difficult passwords or suffer the consequences of further breaches.