Shark watch: How safe are your online passwords?

Nut graf: Some passwords are just about useless, and they’re the most common ones online.

If your bank website password is something like 123456, you might as well hide your money under your mouse. It’s every bit as safe.


Still using that old password?

You’re probably giving someone an engraved invitation to access your website, read your information, make unilateral withdrawals from your bank account or create all sorts of havoc.

Splashdata puts together an annual list of the most common passwords, and the top three in the 2014 version are (drum roll): 123456, password, 12345.

Understand the methodology here. Splashdata equates the most common passwords with the worst, and it truly makes sense. Someone trying to break into your system is probably going to start with those.

Also you might want to consider something else. These passwords were leaked in various website attacks. Y’all, if it was leaked I already don’t want it.

Here’s Splashdata’s list of most common passwords in 2014:

Rank     Password              Change from 2013
1             123456                   … and still champion!
2              password              No Change. Better luck next time.
3              12345                     Up 17
4              12345678            Down 1
5              qwerty                    Down 1
6             123456789          No Change
7             1234                         Up 9
8              baseball                 New
9              dragon                    New
10           football                  New
11           1234567               Down 4
12            monkey                 Up 5
13            letmein                   Up 1 (You’re kidding, right?)
14            abc123                    Down 9
15           111111                    Down 8
16           mustang                  New
17           access                       New
18           shadow                   Unchanged
19           master                     New
20           michael                   New
21           superman             New (Batman’s cooler.)
22           696969                  New
23           123123                  Down 12
24            batman                 New
25           trustno1                Down 1

Yeah, the usual suspects.

Random first names show up in the top 100 or so, along with many of your favorite sports teams and cuss words.

I might mention Splashdata has a pony in this race. That company developed SplashID, a password management application.

Some gains, though. Mark Burnett, who knows enough about online security to write the book Perfect Passwords, says fewer are using those commonly weak or weakly common codes:

“The bad news from my research is that this year’s most commonly used passwords are pretty consistent with prior years. The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that’s the lowest percentage of people using the most common passwords I have seen in recent studies.”

Maybe people are catching on. I guess having your information harvested or your identity stolen is a clue that something’s wrong.

My passwords tend to in the strong range. But I’m not perfect. In the do-as-I-say-not-as-I-do department, I’m guilty of some password offenses:

I’ll recycle mine, use one password for several sites. They’re strong passwords, but I really need to change some around. Fortunately, most of these recycled passwords are in low-impact sites where it’s not a killer if you get in. More important sites, such as my blogs or banking info, don’t get the recycled stuff. But still …

One of my weakest passwords is the one that gives me root access to my computer. I’m not gonna tell you what it is, but I’m really not all that worried. A guy has to a) have my physical computer, b) know what a root password is, and c) know Linux to make any use of it.

So recycling passwords is not among your best practices. See, I’m already making this difficult.

So where do I keep passwords? There are several options:

My editorial comment here is cast in stone.
My editorial comment here is cast in stone.

– In my head. Good luck with that.
– In an Evernote file. Not real secure. Not with Evernote’s search functions anyway. Some one could type “password” or “pass” into the search bar and strike gold.
– In a file on your computer. Also not real secure.
– In a notebook near the computer. Puh-leze!
– On a sticky note next to the computer. Really. I’ve seen this done an awful lot.
– In an online password keeper such as LastPass. It’s reasonably secure, creates random passwords and all that, but the data is kept online. You use a master password to get in, and I sure hope it’s not 123456. Lastpass has been attacked a few times, and it usually lets its users know it.
– An offline password keeper like KeePass. None of the stuff is kept online. Hey, it’s a whole lot harder to crack when it doesn’t exist in the cloud, right? The only real drawback I see is that KeePass won’t work with some of the niche browsers such as Seamonkey. So there’s that, but a few of the really security-conscious recommend KeePass.

Okay. How do you know if your password is strong enough?

Many websites have a little meter that will let you know if it’s a weak or strong password. Here’s the catch, though. Not all these meters are created equal. It varies by a lot.

This is how LastPass rates passwords. If this was a high-priority site I’d change it immediately.


This is according to the tech site ReadWrite, which cites a study by Concordia University:

“Confusingly enough, nearly identical passwords provided very different outcomes. For example, Paypal01 was considered poor by Skype’s standards, but strong by PayPal’s. Password1 was considered very weak by Dropbox but very strong by Yahoo!, and received three different scores by three Microsoft checkers (strong, weak, and medium). The password #football1 was also considered to be very weak by Dropbox, but Twitter rated it perfect.”

I’ve noticed that. Many of these password-strength meters use the standard indicators: Length of the password. Presence or absence of uppercase, numerals and the good ol’ @$*%^. I reckon some password meters consider whether your password shows up in a dictionary somewhere, but that’s just a guess.

In the interest of stronger passwords, some sites have their own rules. My bank requires at least one upper case letter, one numeral and one symbol. Another bank won’t let you use three of anything in a row, so “anYthing111” is out.

# # #

Personal news: I published my latest fiction work, Desert Vendetta the other day. It’s a mystery involving reporters, corrupt cops, feuding families, casinos, the Nevada and Arizona desert, casinos and the occasional dead body. It’s available on Amazon.