You’ve heard over and over the importance of choosing a good password, but we all seem to keep the same bad habits. Roger Grimes analyzed 34,000 real passwords and discovered some interesting trends:
- As expected, English vowels are by far the most frequent occurring password symbols.
- [In passwords with numbers,] the number 1 appeared 45 percent of the time, followed by the number 2 (22 percent.)
- The exclamation point was the most commonly used non-alphanumeric character.
- Words, colors, years, names, sports, hobbies, and music groups were very popular.
- Other popular words include: angel, baby, boy, girl, big, monkey, me, and the.
- Names of sports — golf, football, soccer, and so on — were as popular as professional sports teams and college team nicknames
Drawing on this study and other wisdom, here are some tips for choosing a good, secure password. Read #8 if you don’t read them all:
- Don’t write your password on a sticky note attached to your monitor (or “hidden” under your keyboard.)
- Don’t choose anything obvious like your birthday, spouse name, etc.
- Don’t choose any single word you can find in a dictionary.
- Don’t use the same password on a secure site (like your bank) as on an insecure site (like a mailing list.) If someone discovers your password because it was emailed to you from an insecure site, you don’t want your bank account to be vulnerable. Ideally you’d keep a different password for each site.
- If a digit is required in your password, don’t simply append a “1” or a “2”. If a symbol is required, don’t simply append an exclamation point.
- Learn which channels are secure and which are not. Generally HTTP, FTP, and VNC are not secure, while HTTPS, and SSH are secure. Don’t use secure passwords on insecure channels. (Look for the padlock in your browser.)
- Pick a password you can remember, so you won’t have to write it down.
- Pick a LONGER password. Think of a phrase or sentence or haiku, not a word. Password length is more important than symbols or numbers. For a security expert like Mr. Grimes, a 6-9 character password with “complexity” (symbols, numbers) is fairly easy to break, while a password with 15+ characters is almost impossible to break.
Eventually, we may be using our fingerprints or some other biometric procedure, but until then, choose a good password.
8 replies on “Choose a good password”
I just ordered one, I’ll try the experiment.
Rickety, I don’t know specifics about the PayPal security key but I know a lot of corporate networks use a physical token as part of their security, in addition to passwords. Sounds like an experiment worth trying.
Brian, good article.
Tara, a password manager doesn’t seem like a bad idea, but the password used to lock the manager has to be particularly safe to protect all the other passwords. One must also trust your service to be secure.
I can’t help but notice that you forgot to mention the golden rule in this article:
Choose – and USE – a Password Manager.
That should be the zeroth law (Asimov fans eat your heart out).
By getting your passwords safely stored and organized, you can make them as ludicrously long, complicated and senseless as need be, without having to commit them to memory.
If you’ve never use a password manager before, here are the steps to follow to get set up, and get all your weak passwords changed into strong ones:
http://passpack.wordpress.com/passpack-getting-started/
Then you’re done, all you’ll need to do is look them up when you need them.
PassPack is an online service so you’ll have access 24/7 via internet. Yes, it’s secure – not even PassPack itself can read your passwords. It uses a techniques that leverages your browsers number crunching ability. Here’s more info:
http://passpack.wordpress.com/2006/12/14/password-security-packing-keys/
Cheers,
Tara
PassPack Founding Partner
What is your opinion on online protection schemes like PayPal’s Security Key?
The point of having capital and non-alpha characters is that the search space is bigger. But when 45% of numeric are the number 1, and ! is far and away the most-used special character, what you’re getting instead is a LESS SECURE password. Congratulations, you just traded your 26 letter search space (for that digit) for 2 or 3 characters that account for 95% of the special/numeric characters used.
But by far the biggest enemy to secure passwords are these brain damaged policies that require you to change it every 3 months. I just don’t have the human RAM to store a new set of 10 passwords every month, and coming up with a secure password isn’t an on-the-spot pastime, so I am forced to use fewer and less secure passwords. Brilliant.
I hate passwords.
I read an article recently titled “How’d I’d Hack Your Weak Password” and decided it was time to do refresh of passwords. I went to my five most sensitive accounts (bank, email, credit card, etc) and changed all the passwords.
I think that is a good suggestion about the length. The way that the Mac Keychain does such a good job keeping your passwords organized, it makes sense to just make them super long since you don’t have to type them each time.
Here is a link to that article. It gives 10 guesses to break most passwords.
http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/