Comments on: 123456 most common password?

By: ChristianK

ChristianK — Sat, 30 Jan 2010 16:35:42 +0000

You can combine one strong password that you remember with different suffixes for different websites and write down those suffixes on a piece of paper.

By: Manish

Manish — Sat, 23 Jan 2010 09:58:00 +0000

Its not surprising then that so many people keep getting their email accounts hacked into

By: MIkE

MIkE — Fri, 22 Jan 2010 22:03:22 +0000

Here you can find nice method for custom and good paswodrd creation http://www.goodpassword.info/how_to_create_a_password.php

By: Anne

Anne — Fri, 22 Jan 2010 20:21:06 +0000

Of course I use my cat’s name as a password! She’s called “k7;m2H8l” and I change her name every six weeks.

By: RickD

RickD — Fri, 22 Jan 2010 19:15:11 +0000

“Write all your passwords down on a piece of old-fashioned paper.”
I’d be far more concerned about somebody using that piece of paper (which has to be stored near the computer) than about somebody hacking my password. It is much easier for me to use the same password for 135 different web sites than to have different passwords for each, which I then have to write down.
(And yes, I have different passwords for banking websites, but that is the exception, not the rule.)

By: Clark

Clark — Fri, 22 Jan 2010 07:48:11 +0000

If you use 1Password on a Mac it keeps track of all your passwords for you and can generate extremely strong passwords for every site and then access them via a master password on your computer. It also has an iPhone version that syncs with the desktop.
I used to use strong passwords, but only kept a handful I could remember. Now I use different passwords on each site.
Realistically you need something like that if you are going to have sufficient security. Because frankly no one can keep track of numerous complex passwords without creating other security flaws.

By: Katkinkate

Katkinkate — Fri, 22 Jan 2010 04:12:35 +0000

At my last job, when the number of passwords I had (and were renewed on different schedules) grew to many to be handled by my inadequate rote memory, I figured out about 11 different passwords as a base stock and wrote a list of clues to them, to help me keep track of which one I was using for each application. I randomly substituted numbers for similar-looking letters to keep it a bit more secure as well (eg. s=5, q=9. The list of clues lived in my diary with whatever application I was using it for written in pencil beside the relevant clue. I used things like my mother’s, mother’s maiden name + my niece’s current age.

By: Vicki

Vicki — Thu, 21 Jan 2010 22:04:02 +0000

There’s always a tradeoff between security and inconvenience: it’s easier to walk through an unlocked door, including my own front door while I’m carrying groceries. So it only makes sense to lock a door if you care who comes through it. (You might _close_ a door to keep the wind out, or animals in: the local dog run uses gates that almost any human would find trivial, but the dogs can’t open.) And the more passwords I have, the more I have to either remember or store: and pieces of paper can be lost or stolen.
I leave my work computer logged in to the library’s website, because the worst any of my coworkers could do is cancel my holds on library books; it’s not a real risk. (They could also reserve books I didn’t want, which I wouldn’t have to borrow, or renew the books I have checked out, which is harmless.) That doesn’t mean I’m staying logged in to my personal email, or my pension fund.
Tacroy is absolutely right about hash functions: that was old news in the 1980s. It’s not an absolute guarantee–given a system, a hashed password file, and time, brute-force attacks are useful–but it’s still worth doing.

By: llewelly

llewelly — Thu, 21 Jan 2010 21:58:49 +0000

In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.

The italicized words (my italics) are the root of the problem. Memorizing good passwords is hard work, and most people can’t be convinced to do it. As Bruce Schneier pointed out over 10 years ago, writing your passwords down should not be viewed as a last resort. Instead, it should be your first resort. Write all your passwords down on a piece of old-fashioned paper. Make a copy. Store the copy in a safe place, where it is unlikely to be affected by common disasters, such as fires, floods, etc. Keep the other on your person, but treat it like your credit card, or your id card – take every reasonable precaution against losing it.
But most importantly – know how to report identity theft. Write down a list of the steps you will need to go through in the event of your password list being lost, or stolen. Do a few dry runs, so that when you need to use it, it is somewhat familiar to you. Keep that list somewhere else (not with the password list, obviously) on your person.

By: Tacroy

Tacroy — Thu, 21 Jan 2010 20:52:45 +0000

Meh. If I’d had a rockyou.com account, the password would have probably been something simple like that – after all, it’s RockYou. I don’t care if anyone steals my account on that website, and I don’t want to use one of my real passwords in case their system architects are morons and something like this happens.
Further, rockyou.com was doing it wrong in the worst way possible. You do not ever store passwords as plain text. You store the result of a cryptographic hashing function applied to the password + some random but constant salt value. That way, even if someone steals your customer records, they can’t easily get your user’s passwords – which might have been used on a different site.

By: Eric Lund

Eric Lund — Thu, 21 Jan 2010 15:19:17 +0000

Frustrating, yes, but nothing new. In “Surely You’re Joking, Mr. Feynman”, Feynman tells the story of contriving a meeting with the official locksmith at Los Alamos, who had managed to open a special safe that a captain had had delivered to store his sensitive documents (the captain was unavailable at the time but the documents were urgently needed). It turned out the locksmith was eager to meet Feynman, who had cultivated a reputation for being a safecracker. The locksmith’s secret: those safes came from the factory with one of two default settings, and the second one opened the safe. Feynman subsequently found that about one out of every five combination locks that he tried opened with one of the two default combinations. So the weak password problem has been around for at least 65 years.

By: Ambitwistor

Ambitwistor — Thu, 21 Jan 2010 15:04:36 +0000

That’s amazing! I’ve got the same combination on my luggage!

By: Rob W

Rob W — Thu, 21 Jan 2010 13:26:04 +0000

Hmm.. PEBKAC.
If you’re coding a web application, it’s wise to reject these passwords outright. I also like the weak->strong meters shown next to password fields.
Offering advice on how to choose a good password is also helpful. Best advice I know: memorize a passPHRASE as part of your password. E.g., “That’s what your MOM said last night” as a passphrase becomes “TwyMsln” in your password (or go with the 3rd letter of each word to get “aauMisg”) and then throw a number and special character in there that you can remember (5^, for example).
5^aauMisg is a pretty good password, and not that much harder to remember than 123456.
Keyboard patterns like qwerty are possible if you are smart about them; i.e., use the shift key, jump around, and make it long. “2w)OdfJHerIU” is a keyboard pattern password that’s pretty solid.

By: 01jack

01jack — Thu, 21 Jan 2010 13:12:34 +0000

“Princess”?