Three golden rules for passwords - PRR Computers, LLC

by Matt Kelland
11 years ago

What effect would it have on you or your business if your password was compromised? Imagine hackers buying things with your credit card, poring through your personal emails, or poking around in your bank account. These days, computer password security is as important as making sure you keep your house or car locked.

Rule #1: keep your password private

This sounds obvious, but most breaches of computer security aren’t due to thieves or hackers. They’re most frequently carried out by friends, colleagues, or family who are abusing the trust put in them. Ex-spouses and former employees may have access to all sorts of accounts, particularly if they’re online services like Google or your bank.

Avoid giving your password to anyone if at all possible – not even people you trust. If you do have to give your password out – for example if you’re out of the office and a colleague needs access to something – then change it as soon as possible afterwards.

Many places recommend having different passwords for every account. This is good practice from the security point of view, but it does make it hard to remember them all. This often means writing them down, which is vulnerable. If you must write your passwords down, keep them in a safe place – not in a file called passwords or on a Post-It in your desk. Modify them slightly so even if someone does find your password file, it won’t help them. For example, add a couple of numbers on the end and switch the first letter from lower case to upper case (or vice versa), so goosefeather5 becomes Goosefeather599. You’ll know what you did, but nobody else will.

Rule #2: don’t make it easy for a human to guess

Analysis of typical passwords shows that too many people use very common passwords that are easy to guess. The top five passwords are:

  • password (or password1)
  • abc123
  • 123456 (or 12345678)
  • 999999
  • private

Other very common passwords include

  • ilovemydog
  • letmein
  • drowssap
  • trustno1
  • qwerty

As we said above, most security breaches are committed by people you know, and they can use that knowledge to figure out what you might have used. Avoid using personal information such as:

  • your own name
  • your initials
  • your nickname
  • your business name
  • your login
  • your star sign
  • your date or place of birth
  • your pet’s name, child’s name, spouse’s name, or maiden name
  • your favorite place, band, movie, or fictional character
  • your phone number, social security number or address
  • the name of the site or service (when LinkedIn’s password list was stolen in 2012, analysts discovered that the most common password was linkedin!)
  • your catchphrase
  • any of the above with -99 or -123 on the end

If you use any of those – change your password right now!

Rule #3: the longer, the better

Modern password cracking tools can check two billion passwords a second. A five-letter password has ten billion combinations, so it can be cracked in under five seconds, no matter what it is. A six-letter password is much better – it has 1 trillion combinations – but it can still be cracked in under ten minutes. A seven letter password can be cracked by a persistent intruder in about thirteen hours using easily available tools.

Eight letters is the absolute minimum required to be safe – it’ll take about 57 days to break it. If you’ve got ten or more letters in your password, that’s even better.


Leave a Reply

Your email address will not be published. Required fields are marked *