Keeping Your Password and All Your Eggs In One Basket?

Keeping Your Password and All Your Eggs In One Basket?

Everyone is acquainted with basic password security. The usual rules, like:

  • Don’t use significant people in your lives names;
  • Don’t use significant dates;
  • Don’t use obvious hobbies or interests;
  • Don’t use the same password for everything; and
  • Generally just don’t use anything about you that people can easily identify.

But even now, companies don’t trust their users to use sufficiently strong passwords, hence the ever popular strength check. But despite their best intentions even these are fundamentally flawed:

“The meters, which often appear as a bar that goes from red to green, rank passwords using traditional measures such as complexity, length and character use, but it turns out most fail to spot easy to guess or predictable passwords.” Samuel Gibbs – The Guardian

It turns out that these strength tests don’t check how secure the passwords entered are against intelligent hacks, only against the Brute Force approach – which is, for the intelligent hacker, a last resort. Like how a mechanic or plumber would try to delicately fix a problem and only if things aren’t going right might they break out the hammer and hit and hope.

To safeguard against Brute Force attacks, the theory is that using non standard words, lengthy passwords or capitalised letters increases the number of possibilities that have to be attempted before the desired outcome is reached. Despite the guidance offered by strength checkers, Mark Burnett (an IT security analyst) found these alarming statistics for his sample data:

  • 0.5% of users have the password password;
  • 0.4% have the passwords password or 123456;
  • 0.9% have the passwords password, 123456 or 12345678;
  • 1.6% have a password from the top 10 passwords
  • 4.4% have a password from the top 100 passwords
  • 9.7% have a password from the top 500 passwords
  • 13.2% have a password from the top 1,000 passwords
  • 30% have a password from the top 10,000 passwords

The Most Vulnerable Passwords

The 50 passwords below are the Mark Burnett believes to be the most commonly used, from his sample data found on publicly available sources. In order to prevent any issues with the content distributed here, all those passwords which contain vulgarisms have been omitted.

Passwords

Other sources claim the most common passwords are the likes of abc123, trustno1, ncc1701 (registration number of Star Trek’s USS Enterprise), iloveyou! and primetime21. So there is no definitive list, but definitely a number of commonalities. Which leads us on to how you should generate passwords.

Password Safeguarding

Passwords should be unique for each occasion and not personal, the more personal they are the more vulnerable they are likely to be. There are a number of solutions to this, that take all the hassle of passwords out of your hands. The best examples in our opinion are Keeper and LastPass. These vaults store all your passwords in a vault that you can access with one log in. Therefore, the stress comes down to remembering one long nonsensical password e.g. R4%3££:1ne) or something along those lines (the added benefit here is that even if someone sees you enter your password, odds are they aren’t going to be able to recall it).

The secondary benefit is that password systems like this wont just store your passwords, they can generate them for you too, see the screenshot below for the sort of strength passwords that are randomly generated (they can be anything between 4 and 100 characters long). 

LastPass1

And using it is as simple as clicking on the systems icon in a password field and selecting any of the accounts you have linked to that URL (if you haven’t used a login with that url before, you can search your vault for other login credentials):

LastPass2

Quick, easy and pain free. Which leaves people who have easy passwords to crack with no excuse for not taking their security more seriously. You wouldn’t have the key to your car or your house as a generic key that anyone can use, so why would you for your confidential information?

Stephen Collins