I noticed recently that a password list I posted to my web site several years ago is still visited frequently. Curious, I Googled password list to see what other lists I might find. Not surprisingly, Google returned nearly 2 million search engine hits. Push past the trivial "Top 10" lists that are designed purely to improve a Digg ranking and you'll find some longer, interesting ones such as Top 500 Worst Passwords of All Time.
Study the 500 passwords listed carefully and you will see how laziness, brain freeze, and flawed thinking dominate password composition:
- Nearly all of the passwords are shorter than 7 characters.
- Most of the passwords are single English words or given names.
- Many of the passwords are or include a profanity.
- Many of the passwords are key sequences from a row on a QWERTY keyboard.
- None of the passwords use a capital letter.
- None of the passwords use a special character (!@#$%^&*)
Think about this for a minute. By altering just one of the above behaviors, you are assured that your password is not among the 500 worst ever. Herein lies the irony: weakly composed passwords are largely the result of users who don't think for even 15 seconds about the composition of a password.
The comments I typically hear when I ask folks how they compose passwords include "If I make it complicated I won't remember it", "My brain freezes when I'm asked to compose a password", and from the MySpace generation, "Who ^%!ing cares?" (this is no doubt the user demographic where most of the passwords containing profanities and most frequent use of the notorious 123456 password are to be found).
It's possible to make a password easy to remember without making it complicated. Instead of using a single word, use two or more words, a phrase, or a quotation. Capitalize each word (this isn't really disclosing that much helpful information to an attacker and certainly not enough to speed up a password cracker program). In between the word, use a special character: even if you use the same one to help you remember, your password will be more strongly composed. What you'll end up with may look something like this:
- My!Dog!Has!Fleas
- Your*Password*Is*Strong
- Black$Jelly$Beans
To completely master password composition, add a Arabic number. To make it memorable, substitute the number where you'd include a word:
- I!Want!1!More!Cookie
- 3@Musketeers@Bar
- Camels#Have#2#Humps
All six of these passwords satisfy the "Best" rating at the Microsoft Online Safety pages Password Checker. None took me more than 20 seconds to compose. Note that I used the same special character (surely you have a favorite special character!). This isn't that hard, folks...
Excellent, Scott! Hope folks will watch this. The part where Beyonce raps how to create a password with Unicode encoded characters is spectacular!
Posted by: The Security Skeptic | Thursday, 17 December 2009 at 01:33 PM
Hope you'll forgive me for plugging the movie I made on this topic in 2007. Even a simple phrase such as "The Force Is Strong with This One" is very difficult to crack, as we learn with Bud:
http://www.youtube.com/watch?v=0QzhkOkvKnM
Posted by: Scott Pinzon | Thursday, 17 December 2009 at 12:29 PM