Password insecurity – the usual suspects

The annual list of truly bad passwords is now out and it still brings a tear of despair to any computer techie’s eyes. Despite all the warnings and examples of the chaos caused by hacked accounts, people still use “password”, “12345678” and “abc123” as the gatekeepers to their personal information. Worse still are those that use the same password across all their devices and accounts.

I have a couple of customers like that. No matter how much I beg and plead with them to change from “87654321” (yea, that’s going to be hard to figure out) or “123456”, they still fall back on the same easy to guess passwords. Or my next favourite – the customer who uses their kids name as their wifi network name and then uses the same names as their router and email password. No, using “karenmike2011” really isn’t a good deterrent to any moderately lazy hacker.

Here’s a case study for you: I have a customer, wonderful family, but they never remember their passwords. The husband is always changing them, in the vain belief that will keep them secure. He dutifully writes the passwords all down and stores them … somewhere … somewhere safe … Last time I was there it took him over 30 min to figure out where he hid the list. HOWEVER … and you just knew there was more to this story, didn’t you …. By the time he finds his list, I’ve already figured out what his passwords are.   Now, changing your passwords periodically is an excellent idea, I do that myself. But it’s futile if you rotate the same easy to guess passwords. I usually try their kid’s names and birthdays (written on their computer calendar). If that doesn’t work, I whip through the usual “pAssw0rd”, their street address, “43215678” etc. And yes, I really do figure them out before he has his “EUREKA” moment.

Given the explosion of excellent password keepers that you can install on your phone/tablet and pc and synch between them, there really is no excuse. But I’ve discovered, lectures don’t do anything. I might as well write out what they need to do, roll the instructions up and smoke them for all the good it does. Some people either just don’t get the danger or they think there are bomb proof.   And when I get that call I refrain from “I told you so” but honour the person with a knowing glare over the top of my glasses as we start the recovery process.

Here are some basic rules for password security:

  • Get an encrypted password keeper. I use Password Padlock and synch the list between my devices. It automatically backs up the list to an encrypted file on my cloud account (not stored on anyone’s server) and when I make a change, it notifies me on my other devices to download the updated list.
  • Make sure your password keeper has a feature that will create a password for you and make it completely random. It should also have the ability to include special characters. We’re creatures of habit, which means when we create our passwords, we tend to fall back on familiar names and numbers
  • DON’T USE 123456 or PASSWORD as the access key to your new password keeper. Kind of defeats the purpose, don’t you think?
  • Change your passwords periodically. The most important ones are your email, online banking and anything that holds private information.
  • Don’t use the same password for your primary accounts. Don’t use your email password on your banking website. Pick unique passwords for each one. And don’t forget to change them periodically.
  • If you don’t want to use a password keeper, create a system to track your passwords. The advice “never write them down” may be good from a security point of view, but entirely impractical from the user end. Who’s going to remember 60 or 70 passwords? Especially if they are completely randomized. That advice is arrogantly dismissive of how difficult it is to remember passwords.
  • I have a customer who has the weirdest system I’ve ever seen. He writes his passwords down in a bizarre code that only he knows. Another one uses a password protected spreadsheet so she has one master password to remember.

Take a few basic steps and protect your data. Take some time to plan out your password – don’t rush picking it. Figure out a system that works for you and stick to it.

… oh and “monkeyboy”, “IamaGOD!”, “l0Vemachine” and your pet’s name are not good choices … trust me on this.