I never cease to be amazed at the couldn’t-care-less attitude that some computer users have. Week after week I pull countless viruses and spyware programs out of computers that have been abused by careless users. Thinking that they are somehow immune to the Internet’s many diseases, these users are only shocked back into reality by the size of the bill that I give them after cleaning up their machines.
One of the most basic and fundamental things that you must do in practicing good computer security is to use strong passwords. Sadly, recent studies show that most computer users are too lazy, stupid or ignorant to be bothered with such annoying things as password safety. These are the people that should not be allowed to use computers, because they are making the world a more dangerous place for everyone.
One study, by Errata Security CEO Robert Graham, analyzed 20,000 passwords that had been in use at a popular website. Mr. Graham’s analysis was not reassuring. The overwhelming majority of passwords picked by users were simple dictionary-based passwords. Others were simple letter-number combinations, such as “abc123.” 16% of the passwords matched a person’s first name. 14% were patterns on the keyboard, such as “qwerty,” or “asdf.”
Other passwords were variations on the word “password,” such as “password1,” or the extremely clever “drowssap” (password spelled backwards). Many passwords were pop-culture references from TV, movies and music, such as “hannah” and “starwars.” Other passwords were things that may have been nearby when the user was first asked to create a password, such as “cocacola” (which was more popular than Pepsi) and “samsung.” Rounding out the list were curse words (with the “F” bomb being the most popular), I-don’t-care passwords such as “blahblah,” and the names of movie stars and sports-related items.
Another study by Gartner reports that at least two-thirds of U.S. consumers would rather use insecure password management practices than convert to stronger ones. The most widespread and dangerous insecure password practice is that of using the same password for everything. People are stuck in a fantasy world where everything related to computers and the Internet is supposed to be easy, so they think that it’s OK to use the same lame password for eBay, Paypal, email, and banking and credit card websites. It seems that they will choose convenience over security almost every time.
The problem with weak passwords, such as those discussed in the Graham report, is that they can be easily and quickly hacked and cracked. I’ve conducted public password-cracking demonstrations before, and believe me folks; it’s easy; so easy that even a caveman could do it.
Password length is vital to strong passwords. Using a modern computer, the times that it takes to crack passwords are:
– 5 characters = 10 seconds
– 6 characters = 1,000 seconds
– 7 characters = 1 day
– 8 characters = 115 days
– 9 characters = 31 years
– 10 characters = 3,000 years
The problem with using the same password for everything is that once it’s cracked, the bad guys have access to all of your accounts. To prevent this, you should use a different long, complicated password for everything you do that requires a password. I have five or six complex passwords memorized, and it’s not because I’m some sort of memory genius; it’s just a matter of being willing to do it.
If you can memorize a long telephone number, street address or Social Security number, then you can memorize a complicated password; you simply have to force yourself to stop being so lazy. For more information about inventing complex passwords that you can memorize, see my previous article titled, “Type Password Here.”
There are even special tools available for managing multiple complex passwords, such as Login King (loginking.com), RoboForm (roboform.com), KeePass (keepass.info), and OpenID (openeid.net). Some of these tools are free, some cost a measly $25 or so. The point is, with these tools, you have no excuse for using weak passwords for everything you do on the Internet.
Start practicing good password policies today; or, you can become another crime statistic. It’s your choice.