Slashdata published a list of the worst passwords of the year. This was done by compiling the frequency of occurrence in stolen username/password lists that were published for sale. So in one respect these passwords were doubly bad. Not only were they common but they were on sites that were open to hacking.
The most common form of password attack at this time is the dictionary attack. Hackers have a large list of common passwords and their computer simply systematically runs through the list one word after another. Obviously hackers put the most common passwords at the top of their dictionaries. So if you are using one of these it will only take a moment to gain access to your account.
Simple patterns on the keyboard such as qwerty and qazwsx and 123456 are high on the list. And some of the things that you thought were clever were apparently also found to be clever by way too many other people, such as changing the o to a 0 in ‘password’, which only moves you from number 1 to number 18. Also if you thought that trustno1 was a really cool and clever password then apparently you have a lot of company.
So how do you do better? Security experts recommend having unique complicated passwords and changing them frequently. But most people, even those that should know better, have easy to remember passwords, use them in many places, and change them only when forced to.
Is there a middle ground?
I believe so. The first thing is to think of ‘tiers’ of security:
- Sites where a stolen password might allow somebody to impersonate you, but would not result in serious financial harm, breach of confidentiality, or major identity theft. These should not be sites which store credit card information or other personal identification numbers like social security information, addresses, and so forth. This might include twitter, discussion boards, e-mail, games, etc.
- Sites where one can do a fair deal of commerce and which might have your credit card numbers or their equivalent stored on file. This include amazon, ebay, etc.
- Sites containing information which you have a professional obligation to keep secret as part of your work.
- Sites which contain the potential for serious financial harm. These include brokerage sites, paypal, electronic banking.
Then you follow a simple rule: Never repeat a password across tiers. That way, while you are repeating passwords between sites which might increase the scope of a hacked password, it will not increase the severity of a hacked password. In addition, the lower level sites like discussion boards are the ones to likely have the least attention to security while the top level sites are likely to have the highest attention paid to security.
That gives you as few as four passwords to remember while managing your exposure to a breach.
Then think of a method to create passwords that are long and easy to remember before trying to think of the password itself.
- The old school online password. The old online services like AOL and Compuserve sent out tons of ‘try it free’ CDs in the mail, each including an account name and a password. So they needed a ton of computer-generated passwords that would not be too hard to remember. What they came up with was two randomly selected words with some sort of punctuation between, like green+glass. As passwords go they weren’t too bad as long as you didn’t know that the password was in this format. So if you made it three words, varied the punctuation, and threw in an uppercase letter or two, it makes a hard-to-guess password. Then you can create a mental picture that will help you remember the words.
- The sentence password. Make your password a short sentence, including capitals and punctuation. Of course it needs to be a difficult to guess sentence. Since letmein is number 8 on the list of common passwords, making your password ‘Let me in!’ is not much of an improvement. On the other hand ‘My pencil box has no propeller?’ is not likely to be guessed.
- The anagram password. This is similar to the sentence password but works with sites that limit password length. Think of a sentence and then take just the first letters of each word, perhaps substituting a number for a word. So perhaps 14A&A41! (One for all and all for one! from the three musketeers)
I believe that one reason why people subconsciously choose simple passwords is that they are afraid that in the event something happened to them that others would be able to guess the password. Part of their brain is saying that maybe they shouldn’t make it too hard to guess. Frankly this is a valid concern. Disaster planning is an important part of overall information security. But it is a hard thing to reconcile when dealing with passwords. You aren’t supposed to write them down and you are supposed to change them frequently, right? So for example a notepad in a safe deposit box might be secure enough, but it would be hard for you to regularly change. If you store them in a password management system on the computer, then what happens if the password to get onto the computer is secret?
Here is what I suggest. Use a secure USB flash drive. Some flash drives come with encryption software installed but otherwise you can download a copy of truecrypt and follow the instructions for creating a traveler disk. Then create a text file in the encrypted volume and keep track of the passwords there. Just remember to keep the encrypted volume closed and the USB drive disconnected from the computer when not immediately needing it. Then take the password for the encrypted file and the instructions on how to use it, and put it in the safe deposit box or give it to whoever would be in charge of your affairs in the event of your incapacity. Then you can make your passwords as complicated as you like.