We are continually amazed at the passwords these folks have chosen. And this is after we give them a simple guideline for choosing a new strong password. We leave the website with a password like: R*tyXX345!2 When we come back its invariably something like pets name or their address or worse their name. It’s easy to understand why people choose a weak password. We are all overwhelmed by all the PASSWORDS!!!
There are so many aspects of your daily life that require passwords. I think just in my personal daily routine not counting client’s passwords I use about 7. That is a lot to remember!!! One of my favorite online tools to bypass compulsory registration on many websites is BugMeNot. If you are using the Firefox browser, which you should be! BugMeNot has a handy plugin that will attempt to login for you. I personally am against forcing people to create a login password to view an article or other content. Unless there is something that actually needs protection like a username on a forum, or personal information, I don’t see why a website should chase off visitors by trying to harvest email addresses.
We always recommend at the very minimum:
- 1 Capitol
- 1 Number
- 1 Special Character
Here is an excellent article on Password Best Practices from The Security Pub.
Avoid a weak passwords
When creating passwords, avoid the following:
* Easy to guess passwords such as a blank or “password”
* Your name, spouse’s name, or partner’s name
* Your pet’s name or your child’s name
* Names of close friends or coworkers
* Names of your favorite fantasy characters
* Your boss’s name
* Anybody’s name
* The name of the operating system you’re using
* String of numbers or letters, like 1234, abcde
* The hostname of your computer
* Your phone number or your license plate number
* Any part of your social security number
* Anybody’s birth date
* Other information easily obtained about you (e.g., address, town, alma mater)
* Words such as wizard, guru, password, nimda,and so on
* A username in any form (as is, capitalized, doubled, etc.)
* A word in the English dictionary or in a foreign dictionary
* Place names or any proper nouns
* Passwords of all the same letter
* Simple patterns of letters on the keyboard, like asdfg
* Any of the above spelled backwards
* Any of the above followed or preceded by a single digit
Here are some examples of good and bad passwords from Fermilab Computer Security. This page also has excellent guidelines for Network Administers on good network security practices. Considering Fermilab most likely literally is protecting United States government information (or so I would think from the .gov domain), I’m will to bet they know their stuff when it comes to network security. It’s usually some yahoo leaving their laptop in a coffee shop… Whoops! Or donating computers that haven’t been fully decommissioned and wiped yet… The memo did not direct me to contact Network Security first… I only do what the memo says…
Examples of good and bad passwords
hello: bad, a dictionary word.
h3ll4: bad, because the vowels of the dictionary word “hello” have been REPLACED by the digits 3 and 4.
he22o: bad, because two characters in the dictionary word “hello” have been REPLACED by the digit 2.
he3ll9o or he_ll/o: good, because digits/special characters have been EMBEDDED between the characters of a dictionary word, but have not replaced them.
7he3ll9o or 7he_ll/o: better, because a leading digit has been added to a good password.