5 common password sins that weaken security

Fraud detection and analytics CSC Blogs

There’s been a lot of talk recently about passwords, password strength and hacked password managers, and even the need to get rid of passwords altogether. While that may not be a bad idea, passwords are going to be with us for some time.

And for decades now, probably since the invention of the first computer password at MIT in the 1960s, these five password mistakes have been made, and it’s weakening everyone’s security.

1 Using the same password everywhere

Too many reused passwords at many sites has caused a problem with logons since long before the Internet, and back into the days of mainframe logins, local area networks and bulletin board systems. It’s evidence of our nature to ease onto the path of least resistance. And with passwords, that means selecting combinations that are easy to remember and type.

A few years ago, security firm Trusteer looked at login information on more than 4 million PCs, and it found that nearly three-quarters (73 percent) used the same password on other websites as they did for their bank.

Fix: Don’t do this: Create unique passwords for individual sites.

2 Using the same username everywhere

Same problem as with password reuse. People want to remember their username, so they use the same username everywhere. No good.

It’s also a problem to use usernames that are easy to guess, such as your name or primary email address. Your username and password combination is a lock, and your username is half of it, so obscure it.

Using the same username and password for multiple sites is clearly bad security hygiene. Especially considering that in breaches, attackers grab those usernames and passwords and slam them against other websites to see what works.

Fix: Mix up your username on different sites and pick ones that aren’t obvious.

3 Creating passwords that are too short

According to much of the research out there, most users create passwords that are six to eight characters long. A few years ago, Troy Hunt studied breached username and password combinations, including over 1,000,000 customer passwords that Sony stored in plaintext, and found that the rare password is less than five characters (bad length) and more than 10 characters (good length).

Fix: In passwords, longer means safer (shoot for 8 or more), so add those extra characters.

4 Not using enough different special characters

Hunt’s research also showed that users don’t use many different characters in their passwords. Most users choose just one character that isn’t a letter or a number. In fact only 4% had three or more different types of characters.

Fix: Use at least three different character types, including numbers, punctuation and symbols.

5: Choosing something that is about their lives

Always a horrendous idea, too many users will choose their name, their pet’s name, the company name, the town they grew up in or a mix of a few known names for a password. While this makes passwords much easier to remember, it also makes them much easier to guess and attack.

Fix: Choose passwords that have nothing to do with one’s name, family, work or life.

While the demise of the password has been predicted for decades now, and one day it’s likely to happen, that day isn’t coming soon. In the meantime we all need to learn how to properly manage this necessary security evil.

 

RELATED LINKS

25 worst passwords of 2015

LastPass mitigates phishing flaw in its password management software

Comments

  1. So how many websites does the average person have to log into? I’m thinking a couple of emails, 3 or 4 social networking, half dozen financial institution, half dozen health companies, and every store web site one shop at. I am guessing 50 to 100 web sites. That would be 50 to 100 user names and passwords to remember. It is easy to say use a unique one at each site. It is also insanity. It would be better to help people to develop a system. Which type of web site require a unique one. IE never use a social networking website id and password on a banking website.

    Like

Trackbacks

  1. […] you need a reminder on good password hygiene, be sure to see my post, 5 common password sins that weaken security. The basics are pretty simple: Keep a strong password, don’t share it with anyone and don’t […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: