We have all heard about the great feats of Harry Houdini, the magician and escape artist. He would be bound in chains locked with padlocks and thrown into a river, yet he would somehow open all the locks and escape. Things were not as they seemed. What is little known is that Houdini was a locksmith and in his day there were only about 110 different locks in the world. Houdini had a key for every one of them.
Such is the case with passwords. Things are not as they seem. Most people vision another person trying to guess their password. That's not how it works these days.
Now is a very good time to talk about passwords because never before have I seen such an increase in email hack attempts as there have been this year. This is the reason for the increase in the number of sites that tell you how strong your password is when you select it.
Humans are not trying to guess your password. Software is. There are programs that will do the job and they are generally available for download by anybody. “John the Ripper” is a very common one.
When Twitter and several other popular sites were hacked and all those passwords revealed there were certain patterns in what people choose for passwords. It is a bit unsettling to me that the most common password used on the Internet is the word “password”. The second most popular one is “123456”. There is actually a list of the top 1,000 poor passwords and over 50% of Internet users have used one of those passwords. There is also a list of 10,000 of the most common passwords. Other bad ideas for passwords are names of family members, dates, a dogs name. etc., and all are very common.
Our systems triple encrypt passwords but that still won't protect you against passwords that are far too common. The word “fido”, encrypted or not, is still only four characters. Password cracking software can try hundreds of thousands of password combinations in a very short period of time. One piece of software that I saw boasts 103,000 password attempts per second over the Internet. If your password is too simple, or too short, the software will figure it out.
Here's a sticky-note for you to print and place near your computer as a daily reminder about using secure passwords. Pass it on! Click the image to print this Password Security Daily Reminder.
Two major studies claim that for a password to be secure it should be at least twelve (12) characters long. Unfortunately, many places on the Internet won't allow passwords that long. However, you should make it eight (8) characters. Other considerations are, a password should NOT be based on a word found in the dictionary, it SHOULD HAVE both upper and lower-case letters, and SHOULD contain one or more symbols if it's allowed. Here are examples of strong passwords, "tV56R^m9" and "Pb46!vT9". Both have eight characters which would provide a real challenge for those trying to crack it. If you can use longer passwords at a site and want pronounceable words then you can select something such as "MorgMainsBulleds59", as an example.
In any case, passwords are something that should not be taken lightly. If it is too simple it won't be secure in today's world. And a final note, don't use any of the passwords in my examples above as they have been published on the Internet.
Article written by Larry Johnson, Network & Hardware Consultant
© WAASI, Inc.
Last updated: 26th January 2014