You’ve heard over and over the importance of choosing a good password, but we all seem to keep the same bad habits. Roger Grimes analyzed 34,000 real passwords and discovered some interesting trends:
- As expected, English vowels are by far the most frequent occurring password symbols.
- [In passwords with numbers,] the number 1 appeared 45 percent of the time, followed by the number 2 (22 percent.)
- The exclamation point was the most commonly used non-alphanumeric character.
- Words, colors, years, names, sports, hobbies, and music groups were very popular.
- Other popular words include: angel, baby, boy, girl, big, monkey, me, and the.
- Names of sports — golf, football, soccer, and so on — were as popular as professional sports teams and college team nicknames
Drawing on this study and other wisdom, here are some tips for choosing a good, secure password. Read #8 if you don’t read them all:
- Don’t write your password on a sticky note attached to your monitor (or “hidden” under your keyboard.)
- Don’t choose anything obvious like your birthday, spouse name, etc.
- Don’t choose any single word you can find in a dictionary.
- Don’t use the same password on a secure site (like your bank) as on an insecure site (like a mailing list.) If someone discovers your password because it was emailed to you from an insecure site, you don’t want your bank account to be vulnerable. Ideally you’d keep a different password for each site.
- If a digit is required in your password, don’t simply append a “1″ or a “2″. If a symbol is required, don’t simply append an exclamation point.
- Learn which channels are secure and which are not. Generally HTTP, FTP, and VNC are not secure, while HTTPS, and SSH are secure. Don’t use secure passwords on insecure channels. (Look for the padlock in your browser.)
- Pick a password you can remember, so you won’t have to write it down.
- Pick a LONGER password. Think of a phrase or sentence or haiku, not a word. Password length is more important than symbols or numbers. For a security expert like Mr. Grimes, a 6-9 character password with “complexity” (symbols, numbers) is fairly easy to break, while a password with 15+ characters is almost impossible to break.
Eventually, we may be using our fingerprints or some other biometric procedure, but until then, choose a good password.