A password is a secret word or string of characters that is used for authentication to prove identity or gain access to resources. We encounter passwords in our daily lives, at the ATM, when logging onto our home or office computers, or logging into our table TV decoder when purchasing a pay-per-view event. We use passwords several times per day when we are using our computers, such as retrieving e-mail from servers; accessing programs; databases; social networking websites; or even reading the morning newspaper online. Computer passwords are our first, last, and best line of defense against damaging intrusions. Companies rely on passwords to protect sensitive information from hackers. The use of poorly designed passwords could leave us vulnerable to: identity theft, financial loss, invasion of privacy, exposure of proprietary company data, and sharing sensitive or embarrassing information. Here are some common password mistakes that users make, including examples of bad passwords.
The password is easy to locate
Whether the password is long or short, complex or simple, a password that is written down on a Post-it note and stuck on your monitor, beneath your keyboard, or in your desk drawer (that has no lock) offers as much protection as a system that has no password in the first place. Your best bet is to create a password that you can memorize easily or retrieve from your (password protected) mobile phone.
The password is too short and simple
These passwords share two other things in common: they contain fewer than eight characters and they use a single character set, where the first password uses all lowercase letters, the second uses all numbers, and the third uses all uppercase letters. Most password policies require that a password be at least eight characters long, with even more restrictive policies requiring the use of at least two or more character sets.
The password is too common
Many users create passwords out of common phrases, obvious patterns, or combinations of words. Part of the repertoire that hackers employ includes English and foreign language dictionary attacks. Ironically, correctly spelled passwords are the easiest to crack by dictionary attacks. Simply transposing a letter or number to its visual equivalent (swapping an “O” for “0” (zero) in “passw0rd”) is not enough.
Using the same password for all your accounts
If a hacker succeeds in cracking your password for one account, be it your e-mail account or your Facebook account, chances are, they will attempt to use that same password for every other online account that they determine is yours. It is in your best interest to create a unique password for each online account that you own.
The password contains personal information
Avoid creating passwords that contain your name, home address, phone number, birthday, driver’s license, Social Security number, passport number, or similar information.
The password is based on your kids’ or pets’ names, nicknames, the names of characters in books or movies, or celebrity names.
If your Facebook profile can be viewed publicly, hackers can derive passwords based on the captions of your family photos or the books and movies that you “like”.
Reversing or capitalizing the last two types of bad passwords
Reversing your home phone number or your granddaughter’s middle name may be more complex for you to remember, but not for hackers to decipher. After all, hackers can do a reverse dictionary attack (where they look up all the words in the dictionary spelled backwards) in an attempt to steal your password.
Network system administrators are not off the hook when it comes to creating password policies. Often times, companies try to use password policies to keep those mistakes from hampering security. However, these policies must be done correctly in order to have an effect. Here are some common password policy mistakes IT departments make.
Overdoing a good thing
If a network admin requires users to create new and extremely complex passwords every 30 days, the users may start to ignore the rules and keep the hard-to-remember passwords written down.
Applying password policies unevenly
Companies may require strong passwords for users during initial login, but at other levels of security, password policies may be much weaker. Hackers who toil at cracking the user’s tough login password would be pleased to discover that security throughout the rest of the system is much more lax.
Allowing password policies to become outdated
While making users update their passwords every 30 days may be difficult for some users, not updating password policies at all would allow a system to become just as susceptible to attacks by hackers, who can rely on old information to gain access.
In order for users to protect themselves from identity theft, financial loss, or loss of privacy, users should actively and regularly create strong passwords. Here are some guidelines to creating a strong password.
Keys to password length: length and complexity
An ideal password is long and has letters, punctuation, symbols, and numbers (e.g. spanning four character sets: lowercase letters, uppercase letters, numbers, and special characters). If possible, use a password that is at least 14 characters or more and spans all areas of your keyboard, using letters and symbols you use less frequently.
Create a strong password you can remember
Microsoft outlines a method to create a long, complex password:
Start with a sentence or two.
- Complex passwords are safer and easier to remember.
Remove the spaces between the words in the sentence.
Turn words into symbols, numbers, or shorthand.
Add length with numbers. Put numbers that are meaningful to you after the sentence.
Another site has additional suggestions for how to create a stronger password that is difficult to crack, yet easy to remember:
- Choose two short, unrelated words (like your favorite exercise, animal, flower, or weather, for example) and join them with an arbitrary number and/or symbol. Examples: “jump3$lily” or “dog+rain”.
- Use first letters of a sequence. For example: your nephews (named Jeremy, Roger, and Allen) and their ages: “8Je9Rog12Alle”.
- Make a really long password from a sentence. Examples: “IwentskydivinginApril87” or “0416istheBostonMarathon”.
- Select a line or title of a song or poem, and use the first letter of each word. For example: “Who ya gonna call? Ghost Busters!” would produce “Wygc?GB!” or “You can’t always get what you want” yields “Ycagwyw.” Even better, throw in a number or punctuation mark in the middle: “Ycag$wyw”.
- Alternate between one consonant and one or two vowels, up to eight characters. This creates nonsense words that are still usually pronounceable, and thus easily remembered. Examples: “routboo,” “quadpop,” and so on.
- Consider treating your password as multiple parts: a central core and a prefix and/or suffix when needed that is specific to the service the password protects. For example: your core might be “gPw4” (that is, “generic Password for…”) and then if it’s a password for a newspaper website like the New York Times, you might choose to add “NYt” to the beginning or end of the password (“NYtgPw4”), while your password for eBay auctions might be “gPw4eBa” and your Yahoo! email password could be “gP4Y!e”.
- Generate your own scheme very methodically. Start with a word, and then delete a character or two, or perhaps just the vowels. Throw in some numbers or punctuation. Continue making the rules for yourself. Choose something that would seem totally random to someone else but that makes sense to you. Use your imagination!
Tester password with the password checker
Always run a password checker to evaluate your password’s strength automatically. Your online accounts, computer files, and personal information are more secure when you use strong passwords to help protect them.
Protect your passwords from prying eyes
If these strong passwords are still too difficult to remember, go ahead and write it down, but keep the written password in a secure location. Once you’ve created a strong password, continue with the suggestions below to keep it even safer:
- Never share your password with anyone. This includes family, friends, significant others, computer support people, and bosses. If you need someone to read your email, many email programs (for example, Outlook) allow you use a “delegates” feature to enable certain persons do so without using your password. Check with your email provider.
- Never say “yes” when your browser asks you if you’d like to save your password. Although it’s convenient, it’s not a good idea—especially when the computer you are using is shared. Some computer viruses can even recover your passwords from your Internet browser and then e-mail them to random people or post them publicly on the Internet. Stop this from happening in the future and to remove passwords that are already stored.
- If you absolutely must write down a new password the first time or two you use it and until you can remember it easily, be sure you keep it in a very safe, hidden place—not a sticky note stuck to your computer or your desk! Then, shred it—don’t just toss it in the trash—once you’re done.
- Never send your password in email, even if the request looks official. If you receive e-mail from someone claiming to be your systems administrator, requesting your password because they supposedly need access to your files, ignore it. This is a popular phishing scam. Remember, your computer support people will never ask you for your password for any reason. If someone must ask you to change your password so that they can gain entry to your account, they do not have reason to be there!
- Change your password often. This is important, particularly for passwords that protect highly sensitive data. And if you ever suspect your password has been compromised, change it immediately!
Google summarizes the above information in the following video: