Barney's Blog

Blog archive

Banishing Bad Passwords

In the very early days of computing most of us stuck with just one password to remember. Now I have a couple dozen. That's because each site or service seems to require a different level of password. And when passwords expire you have to come up with a new one.

Forgetting a password is a fear that ranks right up with spiders, public speaking and meeting future in-laws. That's why so many choose such weak passwords -- weak passwords are easy to remember.

SplashData has been tracking the worst and it recently released 2012's 25 worst passwords.

As expected, "password" is the worst followed by the near twins "123456" and "12345678." What I didn't expect to see on the list is monkey, dragon and Ashley.

SplashData has the usual advice: to make the passwords complex and perhaps use a phrase so it's complex but easy to remember.

Redmond Report readers have their own advice:

"I suggest to our people is to use a sentence like mydogFid0,has4coldnose," wrote Ed from Maryland. "Easy to remember and could easily be modified to relate to the system or Web site on which it is used. The problem I run into is limitations on password length. Only 8 characters for the bank? Give me a break!"

Then John from Pennsylvania chimed in: "I have at least 10 passwords to maintain at work and each one has different rules and limitations on their creation. You better bet that I've figured out how to reuse the same one with minor mods for over a year before I need to make a major change."

How do remember all your passwords? Best advice can be sent to dbarney@redmondmag.com.

Posted by Doug Barney on 11/26/2012 at 1:19 PM


comments powered by Disqus

Reader Comments:

Mon, Dec 3, 2012 Andre

I have been using KeePass Password Safe. Not only does the program let you protect your passwords with a single password but you can also open the web page, if you stored the URL in the entry for the site, and you can have it enter your password for you using Auto type. I love it and use it at home and at work. You can carry the the db with you on a USB stick and and open it right from there using any install of the program as long as it is close to the same version, though that does vary by version. What is really neat is that you can take the folder that you installed keypass into and copy it to your USB stick. You can run it from there on any computer, without installing it again.

Tue, Nov 27, 2012 Craig

There is a set of passwords that I use on a daily basis, so those I've remembered (they are complex). For all other passwords I use Password Safe (free, open source). I think people should use some sort of password manager.

Tue, Nov 27, 2012 EagleOne Montreal, Canada

I too second David as a long time user of LastPass... I've given up many years ago the painfull task of trying to remember 100's of password for all the online accounts, even minors... I used to have a schema that was a combination of a related key-word to the site and numbers, but even that had it's weakness, since someone could eventually guess the 'schema'. Locally I use the HP Protectools to manage network credentials, but on the net LastPass is my favorite. You can even have a 'local' encrypted vault on a USB key in case you travel and have no internet access. Plus it can manage also credentials not related to internet (CC and passport infos). It doubles with a very handy form-filler too and manages several profiles under the same account (i.e. private and office). Lastpass works on multiple platforms and browsers, and for the most functionnality is free !! how can somebody not use such tools nowadays :-) ?

Tue, Nov 27, 2012 Bill Montgomery, AL

If you have a Windows 7 Phone, get Password Crypt Mango. The paid version of Password Crypt. It stores sites, User Ids and Passwords in an encrypted file on the phone. No going online and getting hacked. The paid version has a password generator to create a password of any length with a number of upper,numbers and special characters. If the phone is lost and someone tries to reset the master password, it wipes the file containing your information. Great app for only .99 cents!

Mon, Nov 26, 2012 M Provo, Utah

1st - services should allow complex passwords (e.g. the 8 character password limit). 2nd - the solution has to be easy to implement. The only way to really do this anymore is to use some sort of password manager. I use 1Password (love the Family License) for a variety of reasons in terms of its functionality. I've stuck with it because the company that makes it are the most open about what they are doing, are very active in updating their product, and seem to understand real world user needs. Check their response to a recent NY Times article about this issue in which an expert (out of touch with reality if I say so myself) say things like he wouldn't use password manager software because he didn't write it himself. The response post also brings up issues about how these systems work behind the scenes (http://blog.agilebits.com/2012/11/08/dont-trust-a-password-management-system-you-design-yourself/). It is scary, but some of the proposed "solutions" I've seen by experts are so onerous that it would be easier to just say "Don't ever go online."

Mon, Nov 26, 2012 Greg New York

Check this month's issue of Wired Magazine for an interesting take on the state of security by password. The author makes the case that we've already entered the post-password era, only most of us haven't realized it yet, nor has a really decent alternative risen to the top. Personally, I think that in the near future (5-10 years) we'll wind up using some combination of passwords, fingerprint or face recognition as well as a physical key with a personal certificate of some sort in order to provide a base level of personal security that will stand up to the average daily attacks one encounters.

Mon, Nov 26, 2012 Mark Webster Ohio

Passwords don't have to be this hard to manage. If you do have a lot of accounts to manage/remember, try RoboForm of AnyPass. Oh, and take this advice from XKCD: http://xkcd.com/936/ For me? I like to mix in extended ASCII to add complexity where I am really paranoid such as substituting ¡ for a lowercase i Don't want to make this too simple ;-) Easy cl¡p-on tie vat0

Mon, Nov 26, 2012 Mike Salt Lake City, UT

I use Roboform and have for years. Every web site I visit that requires a login and password has a different password. I don't even know what they are (without looking inside Roboform) because Roboform created the password for me and made it totally random and complex. I also highly recommend this product.

Mon, Nov 26, 2012 David Las Vegas

As a technology professionals, one would think we should know better than to use weak passwords. Yet we many times do. However after LinkedIn was hacked earlier this year I finally got around to switching to more complex passwords with the aid of LastPass. If you are not familiar with services such as LastPass or Roboform, check them out. You create a passphrase that only you know, and then use the service to generate complex passwords that are hashed based on your passphrase. I highly recommend LastPass as a user and a techie pro.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.