A short time ago I was watching someone I know type in a password to an important web site. I wasn’t looking to see what the password was, however I noticed it wasn’t long and it was all entered on the numeric keypad. This is someone who is not a security expert, but has heard me talk about security for a long time.
I said “Tell me that password wasn’t all numbers” and the response was that it was… in fact 12345.
The intent had been to change it later, but somehow that never happened. In fact, the same password was used in several places. I understand that people sometimes are in a hurry and can’t be bothered to come up with a good password right on the stop, but it really isn’t hard to do better than 12345, which is one the most easily guessed passwords in existence.
I always recommend a password of at least 15 or 16 characters, except where not permitted. The use of upper and lower case, numbers and symbols is encouraged. If you are not going to follow this advice, perhaps you can at least use the following tricks.
Instead of 12345, is it really that hard to pick a number and remember it? Say, 1,000,000,001. A billion and 1 is a lot better than 12345. 1,000,000,000,052 or something like that is even better.
How about 12345!!!!!. It would still be better than 12345. Even better, Abcde12345!!!!!@@@@@ is easy to type, easy to remember, and far better than 12345. I’m not saying these suggestions are as secure as a truly good password, but they are far better than the most commonly used passwords.
Now, how about using different passwords for different sites? You probably can’t remember all the passwords you need to have, but a computer can. Personally I like Cygnus Productions Password Corral, but for some people a web based solution is better. Lastpass.com is one such solution. You enter your passwords and it remembers them for you.
If your social networking account or your email account gets hacked, there may be nothing there that you are too concerned about, but an attacker could then impersonate you and attack your friends. This type of attack is not uncommon. Typically the attacker pretends to be you and sends email to your contacts indicating that there is a problem and money is needed immediately. An attacker could also post comments that you would never say, but it looks like you did.
If your password is on this list, you might seriously consider changing it to something that can’t be cracked or guessed in a very short amount of time.
Really, it isn’t that hard to raise the bar on your security if you aren’t using good passwords already.
Director of Technical Education
Author ESET Research, We Live Security