February 12, 2009

People are the weak link in security

Errata Security recently released their finding after analyzing 28,000 User passwords that had been stolen.

From the AFP Article:

"It found that 16 percent took a first name as a password, often their own or one of their children, according to the study published by Information Week.

Another 14 percent relied on the easiest keyboard combinations to remember such as "1234" or "12345678." For those using English keyboards, "QWERTY", was popular. Likewise, "AZERTY" scored with people with European keyboards.

Five percent of the stolen passwords were names of television shows or stars popular with young people like "hannah," inspired by singer Hannah Montana. "Pokemon," "Matrix," and "Ironman" were others.

The word "password," or easy to guess variations like "password1," accounted for four percent."

While I don't find the results all that difficult to believe, I am still amazed by how little people seem to care. Your username and password are the key to who you are online or on a computer network. If someone steals them, they are you for that moment. In the case of these passwords, I partly blame the administrator of the network that allowed such weak passwords to be used. While we can't expect everyone to understand what makes a password strong, I can expect those tasked with the security of a website to know.

The Do's and Don'ts of strong passwords:


  • Use a minimum of 8 characters
  • Include both upper and lower case letters
  • Include at least one number
  • Include at least one special character

Do not:

  • Use your name, your kids names, spouses name
  • Use your birthday, anniversary, kids birthday, etc
  • Use simple words like love, hate, dog

Things like names and dates are easy to find out and are the first things tried. Simple words are easy to guess, and password cracking software will try common words before trying random characters.

Your password does NOT have to look like this: Yffg87^7!!4f (Although I do know several administrators who do use passwords like that) That type of password is unnecessary for most things. Sure, it wouldn't be cracked very quickly (it would take days to crack if on a Windows network), but it is also very hard to remember, which usually means it will be written down and kept somewhere, which means someone can steal it.

Instead, use something you can remember, a word with special meaning,  a phrase, or a song title like H0telCalifornia! This provides almost the same level of security, and also has the benefit of being remembered.

Remember, strong passwords need to meet the balance of security and usability. If you cant remember it, it is useless, but if its easy to crack, its a security risk, so find a happy medium.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google