How Bad Is Your Password?

Every cloud has a silver lining, and every password breach offers an opportunity to see how good (or bad) our passwords really are. Over the past several months, there have been a number of major password breaches: LinkedIn, eHarmony, Gamigo, and others. The silver lining to that particular cloud is that those password lists have allowed researchers to confirm once again that we’re collectively very bad at choosing strong passwords.

Security consultant Mark Burnett analyzed the passwords from various breaches, and identified the most popular passwords. Some of them are not surprising: “password” or “123456.” Others are a bit more interesting: “michael” or “jennifer” (hint: don’t use your name as a password, and really don’t use your name if you have a common name).

In total, just ten passwords accounted for 14 percent of all the passwords on the list. Only 10,000 passwords are in use by over 99 percent of users, says For hackers, this means a very small set of passwords carry very good odds of getting in.

Here’s some simple rules for creating secure passwords:

  • Increase the number of characters used
  • Use letters, numbers, and special characters
  • Vary capitalization
  • Don’t use simple character substitution, such as, “3” for “e” (hackers have figured out that trick)
  • Avoid words

Use a complex password, because you don’t want to see your password on the “easy target” list.

Related Links

No Responses to “How Bad Is Your Password?”

  1. How many of these breaches involve guessing passwords rather than accessing an unencrypted file containing usernames and passwords? I know of one organization which implemented a “password security protocol”. I was unsure why the “password security feature protocol” specified a password of 7 characters, the first HAD to be a number and it was not case sensitive.

    Years ago someone bet me he could guess my password. I challenged him to do so. When he finally gave up I changed the password and then revealed the previous one. It was this long:
    *****************. That’s correct well over 10 characters, mixed case, special characters, mis-spelled words, the lot.

  2. Here’s another hint when providing “hint” questions: the answer should make no sense relevant to the question. For example:

    password hint = “Favorite cereal”

    Answer: TooteeFruiteeBuhlootee