Nut graf: Some passwords are just about useless, and they’re the most common ones online.
Still using that old password?
You’re probably giving someone an engraved invitation to access your website, read your information, make unilateral withdrawals from your bank account or create all sorts of havoc.
Splashdata puts together an annual list of the most common passwords, and the top three in the 2014 version are (drum roll): 123456, password, 12345.
Understand the methodology here. Splashdata equates the most common passwords with the worst, and it truly makes sense. Someone trying to break into your system is probably going to start with those.
Also you might want to consider something else. These passwords were leaked in various website attacks. Y’all, if it was leaked I already don’t want it.
Here’s Splashdata’s list of most common passwords in 2014:
Rank Password Change from 2013
1 123456 … and still champion!
2 password No Change. Better luck next time.
3 12345 Up 17
4 12345678 Down 1
5 qwerty Down 1
6 123456789 No Change
7 1234 Up 9
8 baseball New
9 dragon New
10 football New
11 1234567 Down 4
12 monkey Up 5
13 letmein Up 1 (You’re kidding, right?)
14 abc123 Down 9
15 111111 Down 8
16 mustang New
17 access New
18 shadow Unchanged
19 master New
20 michael New
21 superman New (Batman’s cooler.)
22 696969 New
23 123123 Down 12
24 batman New
25 trustno1 Down 1
Yeah, the usual suspects.
Random first names show up in the top 100 or so, along with many of your favorite sports teams and cuss words.
I might mention Splashdata has a pony in this race. That company developed SplashID, a password management application.
Some gains, though. Mark Burnett, who knows enough about online security to write the book Perfect Passwords, says fewer are using those commonly weak or weakly common codes:
“The bad news from my research is that this year’s most commonly used passwords are pretty consistent with prior years. The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that’s the lowest percentage of people using the most common passwords I have seen in recent studies.”
Maybe people are catching on. I guess having your information harvested or your identity stolen is a clue that something’s wrong.
My passwords tend to in the strong range. But I’m not perfect. In the do-as-I-say-not-as-I-do department, I’m guilty of some password offenses:
I’ll recycle mine, use one password for several sites. They’re strong passwords, but I really need to change some around. Fortunately, most of these recycled passwords are in low-impact sites where it’s not a killer if you get in. More important sites, such as my blogs or banking info, don’t get the recycled stuff. But still …
One of my weakest passwords is the one that gives me root access to my computer. I’m not gonna tell you what it is, but I’m really not all that worried. A guy has to a) have my physical computer, b) know what a root password is, and c) know Linux to make any use of it.
So recycling passwords is not among your best practices. See, I’m already making this difficult.
So where do I keep passwords? There are several options:
– In my head. Good luck with that.
– In an Evernote file. Not real secure. Not with Evernote’s search functions anyway. Some one could type “password” or “pass” into the search bar and strike gold.
– In a file on your computer. Also not real secure.
– In a notebook near the computer. Puh-leze!
– On a sticky note next to the computer. Really. I’ve seen this done an awful lot.
– In an online password keeper such as LastPass. It’s reasonably secure, creates random passwords and all that, but the data is kept online. You use a master password to get in, and I sure hope it’s not 123456. Lastpass has been attacked a few times, and it usually lets its users know it.
– An offline password keeper like KeePass. None of the stuff is kept online. Hey, it’s a whole lot harder to crack when it doesn’t exist in the cloud, right? The only real drawback I see is that KeePass won’t work with some of the niche browsers such as Seamonkey. So there’s that, but a few of the really security-conscious recommend KeePass.
Okay. How do you know if your password is strong enough?
Many websites have a little meter that will let you know if it’s a weak or strong password. Here’s the catch, though. Not all these meters are created equal. It varies by a lot.
This is according to the tech site ReadWrite, which cites a study by Concordia University:
“Confusingly enough, nearly identical passwords provided very different outcomes. For example, Paypal01 was considered poor by Skype’s standards, but strong by PayPal’s. Password1 was considered very weak by Dropbox but very strong by Yahoo!, and received three different scores by three Microsoft checkers (strong, weak, and medium). The password #football1 was also considered to be very weak by Dropbox, but Twitter rated it perfect.”
I’ve noticed that. Many of these password-strength meters use the standard indicators: Length of the password. Presence or absence of uppercase, numerals and the good ol’ @$*%^. I reckon some password meters consider whether your password shows up in a dictionary somewhere, but that’s just a guess.
In the interest of stronger passwords, some sites have their own rules. My bank requires at least one upper case letter, one numeral and one symbol. Another bank won’t let you use three of anything in a row, so “anYthing111” is out.
# # #
Personal news: I published my latest fiction work, Desert Vendetta the other day. It’s a mystery involving reporters, corrupt cops, feuding families, casinos, the Nevada and Arizona desert, casinos and the occasional dead body. It’s available on Amazon.