lunes, 31 de agosto de 2009

HOW TO AVOID 500 WORDS PASSWORDS OF ALL TIMES.

How to avoid the “500 worst passwords of all time”
By John Dodge | Jul 29, 2009 | 35 Comments

ShareEmailDiggFacebookTwitterGoogleDeliciousStumbleUponNewsvineLinkedInMy YahooTechnoratiRedditPrintRecommend8We all have lots of Internet passwords and about half of them are not difficult to guess. Just take a look at the “500 worst passwords of all time.”

A strong password should be two things: easily recalled by its owner and difficult to guess by someone who doesn’t know it. So even non-hackers can guess a few on the worst list.

“123456″ is number one followed by you guessed it, “password.” Some on the list are intriguing. Number 496 is a “mistress” although I don’t know if the owners lean toward kept women or men who wished they had one. Many are profane with a hint of anger and impulsiveness suggesting people don’t want to bother with passwords. Some are plays on words like “letmein.” Number 486 is a seemingly cryptic letter string “abgrtyu” and still made the list.

The list comes from the book “Perfect Password: Selecttion, Protection, Authentication” published in 2005. While the list would appear outdated, it still gets considerable attention because it’s unique.

One out of nine passwords used is on the list and about 50% of passwords are “based on names of a family member, spouse, partner, or a pet,” according to the book’s teaser on Amazon. Just ask Sarah Palin whose email was hacked last September by someone who reset her password using her zipcode, birthdate and where she met her spouse. When asked where she went to high school, the hacker entered “Wasilla High” and was right. Such is the price of celebrity and people knowing a lot about you.

Passwords are a challenge. Like you, I often want quick access to a site and view the password as an obstacle deserving little attention. However, I can proudly say no password I have ever used is on the worst list.

In a recent discussion with fellow bloggers, one said he keeps passwords only in his head. He never writes them down ANYWHERE. I have far too many for that and lack the photographic mind he must have. He also avoids passwords hints such as a boyhood dog or mother’s maiden name given what happened to Palin.

Another swears by password manager Roboform which can be downloaded for $35. I may try this given good reviews and because I don’t feel secure with my current password strategy if you can call it that. I am constantly looking them up and must have about 30 of them. I also have used meebo with some success as a single logon/password to multiple instant messaging accounts. I tried something called a secure login named vidoop, but it was too good: it didn’t let me into anything.

There’s plenty of advice on how to create a good password such as Microsoft’s six-steps to creating “a strong, memorable password. Some of the advice is obvious, but worth repeating.

– Use a mix of symbols, characters and numbers. Use spaces if allowed.

– If you can’t use symbols, double the number of characters.

– Think of a memorable sentence and take the first letter of each word and combine into a password.

– Use a password checker to test its strength.

Follow me on Twitter.

More recent post » « Older post

SmartPlanet Talkback
Share your ideas and expertise on this topic
Subscribe to this discussion via RSS

1PatrickFW

07/29/09 | Report as spam

Keeping Passwords
I have about 50 passwords and some need to be changed as ofter as once a month. Several need to be 12 characters of varies forms. There is no way to keep that all in my head. In desperation I looked at many password programs. More than 20.

Roboform has my vote. I've used it for about a year now. It has secure notes for those passwords and ID's that are not able to be saved automatically like some bank sites. It has never failed me. Well worth the money. As an added benefit it fills in web forms at a single click. I wouldn't be without it now. I even own the portable USB version. I buy the licenses as gifts because I find it so useful.
2John Dodge

07/29/09 | Reported as spam

RE: How to avoid the '500 worst passwords of all time'
Patrick,

Thanks for the note and info. Roboform is what I am considering. Seems worth the money...J
3dhays

07/30/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
I can say that none of my 66 current passwords nor any of the 53 retired one are on the list. Some are close, but only a part of the actual password. I do have some relatively simple passwords/PIN #'s I have been changing some to more complex ones or ones that can't be figured out immediately--such as Sarah Palin's were.. If I have a city name, it will part of my former address, etc. License plate numbers are used or variations on them, such as adding the state name, especially if you no longer live there.
I use a Password protected Excel Spreadsheet, it doesn't populate any webforms, but is free and easy to use.
4blacksmith@...

07/30/09 | Reported as spam

RE: How to avoid the '500 worst passwords of all time'
One of my favorite methods is one of several vulgarisms in German, Spanish or Italian. It's easy to remember, and when the capitalization is off by a couple of characters, it's difficult to crack.
5HarryBeard

07/30/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
Your Sarah Palin example doesn't work. It wasn't the strength of the password used, it was Yahoo's crazy password reset process. No website should make it so easy to access that information.
6Olden D. Kreppit

07/30/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
Roboform may well be great. But I'm a tightwad. I use the free KeePass and it works very well for me.
7techrepublic@...

07/30/09 | Report as spam

1Password for MacOS X
I originally used Gator until it became annoyingware, then switched to
RoboForm, however, there's no RoboForm for Mac, so I was pretty
happy when 1Password for MacOS X arrived.
8HungMob

07/30/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
I looked at the list of PWs and I thought that 1q2w3e4r5t6y would have made it up there. But oh well.


But going on how to avoid passwords. Try to think of the two most random things and stick them together.

EX: tvtree, windowbag, phonestick, etc

Also another thing is to add random #s and Caps inside of it.

EX: TvtReE, wiNd0WBag, pH0NEsT1ck, etc

One more things is to spell them in a different way.

EX: tveetrie, whinndoowbaag, foonstiic, etc

So all together and you got a hard password.
9pgrondier

07/30/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
30 passwords? 50 passwords? monthly changes? Independently from my different 'identities/user names' (yahoo!, google, msn, work, ...), I have only 3 different passwords. The 1st one is 'private-private': personal email, amazon, paypal, banks. The 2nd one is 'private-professional': it is used on my company's network, and can be reset by the network administrator. Le last one is 'default public password', very useful for all these sites where subscription is mandatory. I woudl give the 3rd one to everybody close to me, from my children to my assistant. The second one does not need to be given to anybody, as it can be reset. The 1st one is written down on a piece of paper, sealed in an envelop, to be open after I am dead ...
10MarkH1981

07/30/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
I just came up with an algorhythm that utilizes the name of the website requiring a password. For example, for this site, I'd use smartxxx99, where the xxx99 is the same for every website. For CBS.com, the password would be cbsxxx99. I just don't share the xxx99 with anyone so it is easy to remember 100's of passwords without having to pay for software like Roboform.
11dave_helmut

07/30/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
I can't believe they forgot "iamgod"

every sysadmin knows that one...
12PeterPilot

07/30/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
Roboform may be very good; I wouldn't know as I have never tried it, but I suggest you do consider the free and open source password manager KeePass Password Safe. I use it to manage dozens of passwords: http://keepass.info/
and have found it to be excellent.
"What is KeePass?
Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your homepage's FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. The thief would have access to your e-mail account, homepage, etc. Unimaginable.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page. " BRgds, Peter
13pgit

07/31/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
I always use an easy to remember sentence, then substitute numbers for one set of the letters.

I might sub 1 for all the "I"s, 0 of "O", 5 of "S" and similar. I like working the word "ate" into it, subbing the singular 8 for the whole word.

I write the sentences out as you would normally, including punctuation. This helps people remember where any capital letters are, at the start and in any proper nouns.

Examples:

Y0u f0rg0t the passw0rd already!?

Who 8 all the 1cecream?

Plea5e don't abu5e thi5 5erver.

If spaces are not allowed I simply eliminate them.

I've yet to have anyone forget their password/phrase. Most of them are wireless keys btw. I'll make a much shorter statement for windows user passwords, for eg:

B0nny r0ck5!

If you make the phrase appropriate to the user (or deployment) you don't have to write it down, just the nature of the substitution(s) o - 0, s - 5 for to above example.
14GP1628

07/31/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
One system admin I knew was into trivia. He liked to use passwords that reminded him of things. Such as 56HDW63 being the years rein of some famous person.

Something I do (Im also a system admin) is keep lists. But even my lists, or password manager programs, dont actually list the password itself. On some sites involving giving them an account of credit card it will say "money" which is NOT the password but only a reminder that I used my really hard to figure out money password there. On other sites that I happen across and am not sure I will ever come back to.it will say "password" which is NOT the password but will tell me I used my junky default password there. No offense but this site was one of those and I was real surprised that I was able to login.

ANY storage list of passwords is still keeping a list where it can be snagged from you. I would recommend using this trick to remind yourself without actually writing the password.

OH and on those security questions, I have complete sets of answers that I use which do not match my real answers.
15heroshima

07/31/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
A very good and FREE {open source} solution is keepass, It allows for storage and creation of passwords and many bits long as you need, Key generation is customizable as well. Its all stored in a very secure database. You set the size type of encryption etc.They have versions for every major OS including black berry, windows Mobil and many others. The new version allows for you to host the file on a secure site and divvy out access to it. You ca use a password, a key file or both to get in. One of the nifty features is the auto type feature and a scripting feature. It allows for password entry as well as many other tasks to be recorded or scripted. So easy a cave man could do it.
16kenharthun

07/31/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
Great article, John.

I use LastPass plugin for Firefox to remember my hundreds of passwords. As far as creating passwords, I've written several articles on the topic. One good method is simply to come up with a meaningful phrase and then convert it a string of characters. Here?s one: I drive 33 miles round-trip each day. (Notice I included numbers and a dash.) That could become id33mr-ted. Make some of the characters uppercase: iD3#mR-TeD (I made every other character uppercase ? easy to remember). You get the idea.

You can check out one of my main articles "How to Write Down Your Passwords and Not Worry About Anyone Stealing Them" at http://bit.ly/106ha9 .
17Hobyx

07/31/09 | Report as spam

"passwords are teh suck"
Security in its current forms is inherently user unfriendly, and as such, will be
implemented badly by most people. Passwords and secrecy in general are direct
reactions to conflict and anonymity. If anonymity can be lessened and the incentive for
attack can be removed - friendlier forms of gatekeeping can finally be utilized.
18michel@...

07/31/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
I can't get to the 500 items.
The server times out.
dmaesc
19rblough@...

07/31/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
Yep everyone wants to know if their password is on the list. I couldn't get in either.

I've used PasswordWiz and was happy with it, but it doesn't work on several of the new sites using Flash. I've not counted my passwords but it long ago surpassed the century mark so I need help and want the convenience of a pw manger. Some have suggested "systems" which work as long as no one wants to crack them. The most secure is random character sets and the longer the better.

Having managed the admins for some very large secure networks I've been amazed at the nonchalant use of passwords by top management as well as admins. As a consultant I've entered systems simply by extending the systematic password patterns given to users.

On top secret sites we have used external key generators, but that is more than most people want to use. The best thing about passwords is that it keeps nosey people out of your space.


20Techhasitslimits

07/31/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
I disagree with the author if by saying a good password is "easily
recalled by its owner" he means "easily remembered". A good (i.e.,
"strong") password should be a random string of upper and lowercase
letters, numbers, symbols, and punctuation marks. Most people can't
remember multiple such passwords. But there are tools that can help
them, such as desktop password software (1Password, Keepass,
PasswordSafe, SignUpShield, Roboform, etc.), USB password drives
(IronKey, ID Vault, etc.), and standalone devices (Atek Logio Secure
Password Organizer, Mandylion, etc.). If by "easily recalled" the author
meant by the use of a tool such as these, then I agree...of course.
21invenio

08/02/09 | Report as spam

Proof-reading would be nice
I wouldn't mind the occasional grammatical, orthographical, lexical or other mistakes, but 6.5 in such a short article tops it. I'm not a native speaker, but would say my English is good enough to spot these. A bit more journalistic care would be good. Elsewhere I saw those it's/its, their/they're again...

[ ] meaning that was missing, { } meaning that was too much.

1) Number 496 is a ?mistress? although I don?t [know] if the owners...
2) ...about 50% of passwords are passwords [that] are ?based on names of a family member...
3) I have far to[o] many for that..
4) He also avoid[s] passwords hints such as boyhood dog...
5) I tried {a} something called a secure login called vidoop... -- nice doubling up
6) Some of the advice is {is} obvious, but worth repeating.

I said 6.5 mistakes above, because I'm not 100% sure about this one:
6.5) ...although I don?t if the owners lean toward[s] kept women or...
22ejhonda

08/03/09 | Report as spam

@ invenio
You missed some - I found 10, and that was with me missing your first example. So you were kind - I'd say there were at least 11 typos in it. Not being nitpicky, but it really does make it a slog to read through.
23John Dodge

08/05/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
Invenio,

I believed ALL the dropped words and typos are fixed....fixed them several days ago.

--JD
24poyeezed

08/06/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
Sounds like overheated paranoia to me
25stevebon

08/06/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
I have used AnyPass Pro for several years for all my contact info: passwords, telephone numbers, etc. I have [probably] 150 passwords. The software can be password protected, so I feel reasonably safe. In addition to my computer, the software can be run on a flash drive without any special tricks needed.

For a password, I usually use two words with a numeral between them, and I change every password annually - as I encounter it after the new year. I usually use a string of 7-9 characters in a password. Sometimes, I use the "=" or "+" or another symbol as well as a numeral.

I also have a collection of logon IDs that I use, switching them around irregularly. I keep a list of these logons in AnyPass, so that I don't repeat a logon closer than three years. I make sure to never use a logon as a password [or vice versa].
26VIKING21

08/07/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
I HAVE FOUND THAT USING SYMBOLS IN THE FRONT, FOLLOWED BY PART CAPS, PART LOWER CASE, AND FINISHING UP WITH ANOTHER SYMBOL WILL DEVELOP A " STRONG " PASSWORD.
27john181818

08/07/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
I use Roboform and in my opinion it has been one of my smarter purchases. I generate a unique password for all of my password protected sites so there can be no cross-contamination.

I also take security one step further when logging onto a bank site. I open up a completely new browser, not merely a new tab, then transact whatever I need to do and then close that browser completely. I will never go to another site from a browser that I opened for a bank transaction. It is so easy to do this simple security procedure that there is no reason not to do so.
28jguzzo

08/07/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
Using a sentence is probably the simplest to remember and you can add some more complexity by substituting a number or symbol that is similar to a letter. For example, use the sentence, "Mary is the woman I will love for eternity." A password could be, Mitw1wl4e or M1TwIl$e. note that by using shift or a number, you can make these powerful and nearly impossible to guess.
29jguzzo

08/07/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
Oh, and I use Password Plus on my Palm Treo to manage the dozens of passwords I need for person and business use.
30sjeffreya

08/07/09 | Report as spam

sjeffreya
I swear by RoboForm Pro. I just checked my passwords before writing this and on this rig I have 364 passwords. Plus RF generates passwords depending on length, numeric, alpha, characters and symbols. It also gives your bit score of your what combinaion is. Some sites don't allow more than 10 charachters. Allot don't allow charachters and symbols. With RoboForm nothing is hard. Just click your cursor on your choice say, alpha-numeric choose your length and hit generate. If that one doesn't tickle your fancy keep generating until you come across one you like. Then hit fill and your new password automatically fills itselfs in. No excuse not to update your heavily trafficed sites reguallarly. Oh one thing. Unless your writing passwords down. Back up, Back up, Back up!
31john181818

08/08/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
I should clarify my remarks to say that I am using RoboForm Pro, not the free edition. It was well worth the money.
32aatifkhan2009

08/09/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
I can say that none of my 66 current passwords nor any of the 53 retired one are on the list. Some are close, but only a part of the actual password. I do have some relatively simple passwords/PIN #'s I have been changing some to more complex ones or ones that can't be figured out immediately--such as Sarah Palin's were.. If I have a city name, it will part of my former address, etc. License plate numbers are used or variations on them, such as adding the state name, especially if you no longer live there.
I use a Password protected Excel Spreadsheet, it doesn't populate any webforms, but is free and easy to use
33ryan-s

08/11/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
The latest embarrassment was on Twitter as one of their admin account has the password "password" which make it pretty easy to hack.

There can be a whole book written on managing password for corporations. They have to change the password often as people change departments, their security levels are changed or they leave the job.

Dating for professionals singles
34akprange

08/14/09 | Report as spam

RE: How to avoid the '500 worst passwords of all time'
Although I use RoboForm Pro at home, I change my password at work at the beginning of every month and don?t write it down anywhere. I have three picture calendars on my walls: this month, last month and next month. Using the calendars as visual tools, I create a related phrase, and then condense that down to an 8 character strong password. For example, last month one of my calendars had a picture of a wolf cub coming out of a wooded area, so my phase was ?are you sure?? My password became: a5usU3? One of my best was a picture of a Tufted *** mouse on a lilac bush, my phrase was ?Mine aren?t purple? pw: m1r?tpu3. It?s my way to add a bit of fun to my job and secure my employer?s data.
35life is to shot

08/31/09 | Report as spam

bassam pakistan


The following tags are supported in Smartplanet comments:
 
Leave a Reply
Name: You are currently a guest | Login?

Submit
Related Smart Video

What a smart grid can do for you
How does a solar cell work?
Capital flowing into green building industry
Who will manage the smart grid?
Speeding up construction on green homes
Smart design for 'green' buildings
What's next for SIM cards?
A look at high-speed autonomous driving
Image search software helps detect cancer
PreviousNextAll Video »




Sponsored IBM Resources
eBook - How to Drive Better Business Outcomes with Exceptional Web Experiences
Driving Business Agility through SOA Connectivity & Integration Whitepaper from IBM
Can your business work smarter?
SOA for Dummies 2nd IBM Limited Edition Mini eBook
INNOV8 2.0: A Business Process Management Simulator
Quick Poll
How do you primarily collaborate in the workplace?

Video conferencing.Online collaboration tools (cloud apps; wikis; dropboxes).Phone, e-mail and instant messaging.Face-to-face.VoteView Results



Keep up with SmartPlanet
Follow us on Twitter Be a fan on Facebook


Active SmartPlanet
How to avoid the '500 worst passwords of all time'
35 comments

GM officially remains high on hydrogen
28 comments

Why your kids won't land on the Moon
26 comments

Faulty Pitot Tubes Probably Would Have Made Doomed Air France A330 Fly too Fast
20 comments

A do it yourself WiFi cloud
25 comments

Cap and trade brings energy price stability
18 comments

The real Tylenol scare
18 comments

A hydrogen car is not a hydrogen economy
17 comments

Blog Roll
Thinking Tech | John Dodge, Dana Blankenhorn
Business Brains | Heather Clancy, Joe McKendrick
Pure Genius | Vince Thompson
Rethinking Healthcare | Dana Blankenhorn
Smart Takes | Andrew Nusca, Larry Dignan

John Dodge
John Dodge has answered the call of journalism for 33 years, most of the time covering technology, engineering and business. While he's run magazines, newsweeklies and web sites, reporting and writing always took up half his time. He has have plied his craft at the WSJ, Boston Globe, PC Week (now eWeek), EDN, Design News, Electronic Business, Bio-IT World, Health-IT World, the Lowell Sun, Haverhill Gazette and Newburyport Daily News. He would have like to have been around when Boston supported seven or more newspapers (1940s) and while steam locomotives still pulled trains, but that era was nearly over by the time he raced into the world. That said, he has been blogging and shooting and editing video, writing for web and other online contents tasks for years now.

He has won numerous journalism awards in the past two years, including two Eddie Golds, one Neal finalist and the IEEE Award for Distinguished Journalism all for his reporting and coverage of the Boeing 787 Dreamliner.

Besides his family and myriad hobbies, reporting and writing is why he gets up in the morning. His personal blog focuses on netbooks and is called The Dodge Retort.

John Dodge
John Dodge prides himself on completely independent journalism. His opinions, observations and reporting are not influenced by any financial holdings. He holds no shares in computer, electronics, software or Internet companies. He also has no business affiliations with organizations except with those for which he creates content as a freelancer.
Dana Blankenhorn
Dana Blankenhorn has been a business journalist for nearly 25 years and has covered the online world professionally since 1985. He founded the Interactive Age Daily for CMP Media, and has written for the Chicago Tribune, Advertising Age's "NetMarketing" supplement, and dozens of other publications over the years.
Dana Blankenhorn
Dana Blankenhorn has been a technology reporter since 1982, a business reporter since 1978, and a writer for as long as he can remember. His Schwab IRA has a few tech stocks in it, most notably some Intel and Applied Materials bought over 10 years ago. But the vast majority of his tiny fortune (emphasis on the word tiny) is invested in mutual funds. He presently writes for no one else but ZDNet, SmartPlanet and himself. But if you've got an opportunity let him know. If he takes the gig he"ll first add it to this disclosure page.
The Thinking Tech blog focuses on technologies such as virtualization, smart electric grids, enterprise 2.0, open source, data center management, green technology and the intersection between the innovation and application of these advancements.
About SmartPlanet
SmartPlanet.com is the premier destination for savvy advice, thought-provoking analysis and expert discussion on the intersection of technology, business and life. Covering decisions that reach from the boardroom to the living room, SmartPlanet.com is the place to go for innovative insight and ideas that impact the world around you.

Learn more
Feeds
All of SmartPlanet
Smart Business
Smart Technology
Smart People
Site Help & Feedback
Popular on CBS sites: Fantasy Football | Madden NFL10 | PGA Championship | iPhone | Video Game Reviews | US Open | Antivirus Software

Visit other CBS Interactive SitesSelect SiteBNETCBS CaresCBS College SportsCBS RadioCBS.comCBSNews.comCBSSports.comCHOWCNETFind ArticlesGameSpotLast.fmMaxPrepsMetacritic.comMoneywatchMovieTomeMP3.commySimonNCAAShopper.comShowtimeSmartPlanetTechRepublicThe InsiderTV.comUrbanBaby.comZDNetPrivacy Policy | Terms of use