Humans are creatures of habit.
We eat the same foods at the same times nearly every day. Cereal for breakfast, a sandwich for lunch, maybe we change it up for dinner. Look at us, we’re living on the edge!
But because humans are so predictable, we’re also pretty lousy at protecting ourselves from the pitfalls of predictability. We tend to choose things like passwords based upon easily-memorized components — the word “password” or some combination of characters that a 4-year old would pick (abc or 123).
So as a public service, I have to mention a study released last week of 32 million breached password accounts. You’d like to think that people aren’t really that obvious. And you’d be wrong.
If your password is one of the below, please change it today:
- 123456
- 12345
- 123456789
- Password (or password)
- iloveyou
- princess
- rockyou
- 1234567
- 12345678
- abc123
Also, if you use the same username as your password, or a part of your name or birthdate, again, please change your password. For instance, if my name is John and I use the password “John123”, I’m not exactly being original or unique enough. Any word that appears in the dictionary should be considered off-limits, as such passwords are susceptible to what are called “dictionary attacks” (simply a hacker uses an electronic dictionary to guess at passwords using an automated program).
Personally, I like to make up nonsense words — words that don’t appear in any dictionary, and yet may be memorable on their own — combined with a few numbers. And if you want to be real safe, add an exclamation point somewhere in there too. One nonsense word, for instance, might be kuyot (don’t use this, since I just let the world know it’s a possible password!). Add a few numbers and you’ve got yourself a nice secure password.
Having trouble thinking of numbers that aren’t readily linked to you? Try using an old telephone number from the house you grew up in (assuming your parents still aren’t living there with the same number), an old college room number, phone number or ZIP code, or something else that isn’t a part of your current life. Don’t use a number that’s tied to you for life, like your birthdate or social security number (never use any part of your social security number as a part of your password). Also, don’t be tempted to use a PIN code number as a part of your password. That’s just too potentially dangerous.
Most security experts will explain that using upper and lower case helps, as well as using some non-letter or non-number character (like the exclamation point). Try to do that as long as you can easily remember it (or again, write it down). Research has shown that when people are made aware of what constitutes a “strong password,” they tend to choose strong passwords and can memorize them without much difficulty (Charoen et al., 2008).
Security of your online world is directly dependent upon the passwords you choose. If you need to write down a stronger password, that’s fine. Most people think it’s wrong or more insecure to write down their password. As long as you don’t do it on a sticky note next to your computer (e.g., do so in your address book that you keep with you, or some other more secure place), you’ll be fine. You’re at more risk for a weak password, than a strong password that’s written down (after all, most hackers don’t have access to your home or work place).
Read the full article: Analysis of 32 million breached passwords
Reference:
Charoen, D., Raman, M. & Olfman, L. (2008). Improving end user behaviour in password utilization: An action research initiative. Systemic Practice and Action Research, 21(1), 55-72.