Stop Using Insecure Passwords Now!

January 13th, 2010 by Jeff P.

Here are some disturbing statistics:

A recent Hotmail security breach revealed that an overwhelming number of users are using predictable, insecure passwords:

61% of passwords were either only lowercase letters or all digits (examples: iloveyou or 123456).
20% of passwords were six or fewer characters.

An estimated 1 in 9 people use one of the Top 500 passwords posted on WhatsMyPass.com

1 in 50 people are estimated to use one of the Top 20 passwords, among which are password, 123456, and qwerty.
Many of the Top 500 passwords are simple dictionary words, curse words, or common first names.

60% of web users only have one password that they use for all of their online accounts, including Facebook, PayPal, email, and banks, according to a recent study.

A typical strong password guide looks a little something like this:

At least 8 characters long
At least three of the following:

lower case letter
capital letter
numeral
special character

But this really seems to miss the point. For example, go to Microsoft’s password checker and type in this password: qwerty123456! The checker gives this password strength “Best.” But is it really? Looking at this password, it seems to have some predictable qualities:

qwerty and 123456 are among Top 20 passwords, and are easily guessed strings on the keyboard.
A punctuation mark at the end of a password is an easy-to-guess way to add a special character to your password.

Other password guides caution against words found in a dictionary, pet names, birthdates, and “l33t” versions of any of these. They also might suggest against using multiple double characters, or any triple character strings. Of course, they also suggest a new password for each and every account.

It’s no wonder that people use insecure passwords! The guidelines are unclear, confusing, leave room for insecure passwords, and seem to force everyone to remember 10-50 random strings of characters, depending on how active they are on the Internet.

Security experts are well aware of this above problem. Many of them have proposed solutions, to varying degrees of criticism.

Carry your passwords in your wallet

Security luminary Bruce Schneier still catches some criticism for his support of the practice of writing down passwords and keeping them with you. The argument against it goes something like this:

Storing a single list of plaintext passwords is already a terrible security practice. We admonish people who keep a folder in their email with all of the passwords that have been emailed to them because it makes a hacker’s life easier. Keeping your passwords in your wallet is even worse because your wallet isn’t even password protected. Lose your wallet and kiss your passwords and identity goodbye.

While this argument isn’t without its merits, consider that there’s a difference between perfect security and reasonable security. You carry your credit card number in your wallet and passwords require equal security, so why not? Just as you’d cancel your credit card if you lost your wallet, you’d reset your passwords.

Password management software

There are a few options to choose from, but they all work something like this:

All of your passwords are stored by a very effective encryption algorithm. They can only be accessed by your password. If someone hacked this file, they couldn’t retrieve the passwords from it without knowing your password.
You have to remember just one very secure password. Follow a secure password guideline and then commit that password to memory.
Once inside, the program can generate secure passwords for you to use. When you sign up for something, request a password from your password management software and then save it.
To retrieve any of your passwords, login to your management software to decrypt your passwords and then just copy/paste the appropriate password.

This method is highly effective, but also not without its faults. There’s a non-negligible chance for you to lose all of your passwords this way: forgetting your single password to the software, file deletion or corruption, etc. Of course, in this case you can just reset all of your passwords, but for many people it’s less likely that they’ll lose their wallet than it is to accidently delete a single file on the computer.

Furthermore, the additional steps that using password management software creates for the user makes this nearly as impractical as trying to just remember random strings. Most unsophisticated users will find this too difficult and cumbersome.

Memorable secure passwords

The most ideal secure passwords are easy to derive, easy to remember, but appear to be complex or random to anyone other than the person who created it. A common method to do so works like this:

Come up with a key phrase that is easy for you to remember, but decently hard to guess. For this example, let’s use: My first car was a ‘77 Dodge Aspen.
Shorten this phrase by shortening the words or just taking the first couple of letters from each word: m1stcwa77dasp
Add complexity by replacing letters with symbols and adding capitalization: m1stCwa77d4$p

More details can be found on Microsoft’s security site: Create Strong Passwords.

Remembering these passwords is easier than you might expect, because as you type them you’ll generally say the pass phrase to yourself.

There are a couple criticisms to this method. For one, uninspired pass phrases or unimaginative encoding can lead to easily-guessed passwords, or passwords without much complexity. Secondly, while it may be possible to derive and remember a fair number of these kinds of passwords, eventually you will have a hard time remembering which pass phrase goes with which account.

Remember fewer passwords

The reason that security experts recommend a different password for every service you use is that security is only as strong as the weakest link. Let’s pretend, for example, that you sign up for a service or forum using your email address and single password. This service stores your email as plaintext in its database and gets hacked. Or worse, the service is put online by a hacker to deliberately farm passwords. The hacker now has your email address and single password, which is also the password to your email account. From there, the possibilities are nearly endless. This all happens without you ever learning that someone now knows your password.

While the above scenario does seem to make a strong case for using a different password each and every time, there may be an easier solution. Consider creating security zones for your online accounts. For example:

High security: Financial services sites, your primary email account, and similar.
Medium security: Online services with privately-kept information, such as Facebook or MySpace.
Low security: Online services with publically-accessible information, or subscription sites that don’t store your personal information, such as news sites and forums.

Assign a single password to each level of security. Of course, if you learn that a password has been compromised, change it for everything that shares that password. The thinking behind this is that if any single site from one zone is hacked, it’s no more devastating than if all the sites from that zone are hacked. You can have more than this, of course. Some might argue that everything in a “high security” level should have its own password.

Conclusion

If security isn’t easy to use or easy to remember, it’s not really secure. Frustrated, annoyed, or just plain lazy users will commit the least effort possible to following security guidelines. A strong password policy tempts users to write their passwords on sticky notes on their monitors. At places of business when this is discouraged, those notes are just moved to the inside desk drawer.

Writing down passwords and keeping them somewhere safe (like a wallet) isn’t a terrible solution. Password management tools can work well for the right users. Knowing how to create memorable secure passwords and finding a way to reduce the number you need is a solution that can be adopted by nearly all web users.