Password Practice Revisited

Password Practice Revisited

A few months ago Randy and I put together a white paper on password “good practice” (http://www.eset.com/download/whitepapers/EsetWP-KeepingSecrets20090814.pdf). In it, I quoted the following table of The Ten Most-Used Passwords (sourced from http://www.whatsmypass.com): 1 123456 2 password 3 12345678 4 1234 5 pussy 6 12345 7 dragon 8 qwerty 9 696969 10 mustang Today, I came

A few months ago Randy and I put together a white paper on password “good practice” (http://www.eset.com/download/whitepapers/EsetWP-KeepingSecrets20090814.pdf). In it, I quoted the following table of The Ten Most-Used Passwords (sourced from http://www.whatsmypass.com): 1 123456 2 password 3 12345678 4 1234 5 pussy 6 12345 7 dragon 8 qwerty 9 696969 10 mustang Today, I came

A few months ago Randy and I put together a white paper on password “good practice” (http://www.eset.com/download/whitepapers/EsetWP-KeepingSecrets20090814.pdf).

In it, I quoted the following table of The Ten Most-Used Passwords (sourced from http://www.whatsmypass.com):

1

123456

2

password

3

12345678

4

1234

5

pussy

6

12345

7

dragon

8

qwerty

9

696969

10

mustang

Today, I came across an @SecurityGarden blog at http://securitygarden.blogspot.com/2009/11/passwords-and-user-names.html that quotes heavily from a report called Do and don’ts for p@$w0rd$ (http://blogs.technet.com/mmpc/archive/2009/11/27/do-and-don-ts-for-p-w0rd.aspx) from the Microsoft Malware Protection Center.

The blog (and report) covers some of the same ground, and includes Microsoft’s list of the ten most used passwords for 2009 as compared to a list put together by PC Magazine in 2007. The similarities between the three lists are depressing.

The blog reiterates some good advice from the report, but also includes a useful link to Microsoft’s password checker at http://www.microsoft.com/protect/yourself/password/checker.mspx. You might find it a useful tool for checking the strength of passwords you create when you’ve read one or more of these resources.

Of course, it’s not an absolute guarantee of the strength or otherwise of a given password: for a start, it doesn’t matter how strong your password is if you leave it in plain view on your desk….

(Tip of the hat to @securitygarden)

David Harley
Director of Malware Intelligence

Discussion