Several weeks ago, a phishing attack on popular social networking site MySpace.com managed to harvest thousands of actual usernames and passwords. These users were tricked into entering their account details in a hosted user page that was intentionally designed to appear like a legitimate MySpace login page. Since the page’s URL was within the myspace.com domain, even net–savvy users were caught unaware of the attack.
Are our passwords ever safe?
Security expert Bruce Schneier was able to access a collection of 34,000 username and password pairs from the 100,000 believed to be compromised by the said attack. From that data, he analyzed for prevailing trends and discovered some surprising findings:
Password Length: While 65 percent of passwords contain eight characters or less, 17 percent are made up of six characters or less. The average password is eight characters long.
Character Mix: While 81 percent of passwords are alphanumeric, 28 percent are just lowercase letters plus a single final digit — and two-thirds of those have the single digit 1.
Common Passwords: The top 20 passwords are (in order): password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey.
We used to quip that “password” is the most common password. Now it’s “password1.” Who said users haven’t learned anything about security?
His study shows that in terms of password length, most users have now learned to use relatively long passwords: an average password length of eight characters is much better than “asd123″ of some years ago. Disappointing though is the choice of using just one numeric digit at the end, and sadly, the number 1 at the end of a password is just too common, as we can see from the list of the top 20 passwords.
For our users, what are your preferred ways of generating passwords and keeping track of them? In my case, I admit I also have my share of password no-no’s that may compromise my various accounts if subjected to attacks. From the top of my head, here’s a short list of reminders that might be helpful in generating and protecting your passwords:
- Avoid names and significant dates. These things can be too obvious. Dates are easy to track. In fact, avoid dictionary words and dates altogether.
- Don’t write passwords in paper. Though some would argue that this may actually help forgetful users, more often than not they are the same users who forget or just leave their post-it notes filled with passwords anywhere. Like beside the computer screen.
- Don’t share your password. Multi-user environments are there to support many users, why insist on using just one account? Login yourself and let others use your account for what they need, under your check. Whenever possible, never give them your password.
- Don’t use the same password for several accounts. Minimize damage. If someone steals your password, be it through an exploit or physical means, they cannot wreak havoc on your life just as much if you had one common password.
This Microsoft.com article can be very helpful in producing strong passwords to keep your accounts secure. Do you have other tips for password generation and safety? Do share.