What do the following have in common?
If you guessed "commonly used as a password" (which is also, regrettably, on the top 25 list), you would be right.i Of course, this is one list that you do not want to associate with, even though it would put you in interesting company:
- 00000000 was the Cold War-era launch code for the US Minuteman nuclear missiles.ii (Yes, the tension between convenience and security has a long history.)
- 12345 was the email password used by Syrian president Bashar al-Assad (publicized by Anonymous in 2012) and also the luggage code used by the Mel Brooks' character in Spaceballs and for planet Druidia's air shield.iii Other popular variants for this one include, cleverly, 123456, 1234567, 12345678, and 1234567890iv. (Is there no end to the creative range in password selection? These combinations, in fact, accounted for 2,637,000 Adobe user passwords revealed in the 2013 hack. The more minimalist 1234 was used by only 61,000 users.v )
- Buddy was President Bill Clinton's choice for encrypting his smart card when he signed the Electronic Signatures in Global and National Commerce (E-SIGN) Act in 2000. To help those out who might not be privy to his dog's name, he also shared it with those at the signing ceremony. (National leaders are apparently not immune to the appeal of convenience.)
- Monkey, iloveyou, and princess are all just feel-good words that make the human-computer interaction more personal (unless someone is old enough to remember when 10% of Internet-connected devices worldwide were infected with the iloveyou virus in 2000).
For password strength, "keep it simple" and "short and sweet" are not the way to go. Since passwords are the primary force field for protecting access to your accounts, pump up your passwords by opting for:
Length—at least 12 characters not repeated in a predictable pattern (iloveyouiloveyou is predictable on many levels; really). According to the US National Institute of Standards and Technology (and other security experts), length is more important than complexity in defeating password-cracking efforts.
Complexity—yes, complexity still matters. Use a combination of alphanumeric characters and special characters, but preferably uncommon ones. [One expert's analysis of 5,000 PCI-DSS compliant passwords showed that special character requirements were met usually with a single character, of which the four favorites were "!" (29%), "." (19%), "@" (15%), and "#" (14%).vi]
Uniqueness—if you can find it in Webster's, so can dictionary-cracking efforts. Hackers read what you read and more, so mashing together whole words from the 168,000 or so in English language dictionaries is not a serious protection, and yet at least 75% of all PCI-DSS passwords studied matched one or more.vii [Follow Lewis Carroll's model and abandon the rules of orthography and go creative! Make up a word or phrase that you can pronounce but that only has meaning for you. This is your chance to take revenge on your second-grade teacher. Use it wisely!]
Encoded Passphrases—use a song title or favorite expression (not iloveyou) and disguise it, for example, "And you and me are free to be you and me" could be morphed into "nU&meR32bU&me." [Don't use any encoded passphrases already proposed publicly by others, however. Make up your own!]
Inversion—palindromic approaches can add length and complexity without taxing your memory. [Think of sliding up and down a musical scale. The previous passphrase would thus become "nU&meR32bU&meem&Ub23Rem&Un." Hmmm ... might not pass the convenience test.]
Memorable Variety and Obscurity—develop a mnemonic for easy recall so that you don't have to write your password down, select different passwords for different accounts, use a password manager, and create security questions with answers not easily researched by others (but evocative for you). [Family names and pet names are not obscure; remember President Clinton's dog's name?]
Remember, the bad guys have serious tools. Password hacking programs advertise as many as 800 million attempts per second. Typical (and vulnerable) passwords are composed of a core or root word(s) and then an add-on or appendage, like a zip code or significant date. Interrupt that sequence by inserting the appendage in the middle, using the inversion method mentioned above, and devising a passcode as your root. Having a strong, unique password for each account is more important than changing it every day.
iLorrie Faith Cranor (March 2014). "What's wrong with your password?" TED Talks. Retrieved from http://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd?language=en
iiPhil Johnson (8 January 2014). "Sher-locked: 12 famous passwords used through the ages." IT World. Retrieved from http://www.itworld.com/article/2823169/security/135075-Sher-locked-12-famous-passwords-used-through-the-ages.html
ivChenda Ngak (21 January 2014). The 25 most common passwords of 2013. CBS News. Retrieved from http://www.cbsnews.com/news/the-25-most-common-passwords-of-2013/
vStricture Consulting Group (11 August 2013). Quoted by K. Pong, Reuters.
viJonathan Lampe. "Beyond password length and complexity." Infosec Institute. Retrieved from http://resources.infosecinstitute.com/beyond-password-length-complexity/