Dec 06 2011

Dear User: Your Password Stinks, Love IT

Make password protection policy a priority in your organization.

When it comes to creating solid user account passwords, predictability and duplicability are two major blunders to avoid. If any user in your company thinks he or she is being clever by using the obvious “password” as their password, they should think again. Hackers, however, will certainly appreciate them for making their job easier.

Even slight variations, such as switching an “o” to a zero when spelling out predictable passwords — for example, “passw0rd” — won’t fool anyone. With password theft on the rise, these users could be compromising confidential company information in addition to personal records. Can your company afford to leave this IT security gap wide open?

Many IT workers already encourage co-workers to select strong, secure passwords, but many users ignore this advice and continue to use their easy-to-guess and familiar passwords.

But they’ve been put on notice with the release of the list of the 25 worst passwords of 2011, compiled by SplashData, a password management app maker.

These are the passwords that were successfully hacked, most often, according to SplashData’s study of millions of stolen passwords.

Have you run across any of these passwords in your company?

  1. password
  2. 123456
  3. 12345678
  4. qwerty
  5. abc123
  6. monkey
  7. 1234567
  8. letmein
  9. trustno1
  10. dragon
  11. baseball
  12. 111111
  13. iloveyou
  14. master
  15. sunshine
  16. ashley
  17. bailey
  18. passw0rd
  19. shadow
  20. 123123
  21. 654321
  22. superman
  23. qazwsx
  24. michael
  25. football

What Your Business Can Learn From the 25 Worst Passwords of 2011

There are some mysteries on the list, such as the oddly popular “monkey” and “shadow.” But many of the worst passwords are obvious, like those that include sequential numbers (“123456”) or common names (“ashley,” “michael,” and “bailey”), most likely the user’s own or that of a family member or friend. Other bad passwords are based on keyboard layouts, like “qwerty” and “qazwsx.” And with an increasing number of sites requiring more complex letter-and-number combinations, many users now have passwords along the lines of “abc123” or “trustno1.”

While this list is good fodder for a laugh or two, it highlights the fact that password protection is a necessity. Many companies still allow workers to choose their own passwords, and that can work if guidelines are provided to help users avoid the common mistakes of the 25 worst passwords.

Stop putting your information at risk and ensure that company IT security policies include clear rules on creating stronger passwords. BizTech magazine suggests making passwords more secure with these 5 tips:

  • Diversify your passwords: Mix upper or lowercase letters, numbers and special characters.
  • Use the maximum number of allowable characters: A pass phrase such as “D@dhad$a7shadsal@d” may be easier to remember than “g8Qa3&uP” — and longer passwords are much harder to crack.
  • Use special characters first: #, ! and %, for example, are particularly useful when used as the first character, such as “%squid17Ink.” Most password crackers work through alphanumeric character combinations first when trying a brute-force crack, so a special character makes it that much harder to bust the password.
  • Stand up to testing: You can check your passwords against a password cracker (there are many available online) to see how well they withstand brute-force attacks. You may be surprised.
  • Change regularly: Keep the hackers guessing by changing your password every so often. If you’ve been carrying around the same password for the past 3 years, it’s time to make a change.