The Most Unsafe Password Choices of 2011
Passwords remain one of the best ways to secure accounts and computers. Unfortunately, many people make terrible password choices.
Update on 1/16/13: A new list of the worst password choices is out! Read our article on the top 10 worst computer passwords in 2012 to find out what they are (and don't use them!).
Lets be brutally, painfully honest: Americans dont do a very good job when it comes to creating security passwords. Dont try to deny it the facts prevent any argument on this matter. Our nations most common password is password1, and has been for years.
Sophisticated password-cracking software programs run possible password combinations through multiple dictionaries, different languages, and even Wikipedia in the time it takes you to finish a cup of coffee. Before it hits the dictionary, however, any half-decent password cracker or invasive malware program runs through a list of commonly used passwords. And guess what? That list remains embarrassingly consistent.
Every year computer watchdogs publish Worst Passwords of the Year lists, and every year the same sad, overused passwords crop up. Popular choices include:
If you use any of these passwords, dont waste time defending your actions. Dont hang your head in shame. Get to your account right now and change the password to something -- anything that isnt on this list. Well still be here when you get back.
Popular wisdom recommends strengthening a password by adding numbers to it. While it's true a mix of letters and numbers provides greater security than letters alone, how we add numbers often defeats the purpose.
Look at the subheading for this section. Did you have any trouble reading it? Probably not, and neither would password-cracking software. People substitute numbers for letters in a predictable fashion: I and l become 1, S becomes 5, E turns into 3, and of course, o becomes 0. Children's activity books contain more complicated puzzle codes.
The practice of substituting numbers for letters in a password is so common that many password-cracking tools hunt for numerical alterations before they even start a dictionary check.
People sometimes add their birth year to the end of a password. On the surface, this seems reasonable: Youve added numbers to your password, and youre unlikely to forget your date of birth.
Trouble is, you havent added any real security. Once cracking software realizes that the first two digits are 19, it becomes obvious the last four spaces of your password are a year. Including any personal information in a password only increases your vulnerability to identity theft.
Adding numbers to a password does increase security, as long as the numbers appear random. Adding symbols, uppercase letters, spaces, and grammar also strengthens passwords.
Your password should make sense to you, but appear random to others. One option is to start with a favorite song or movie quote. For instance, take this line from America: My country tis of thee, sweet land of liberty. Of thee I sing.
Take the first letter from each word in the line and you have mctotslolotis. By itself, thats a strong password: its over 12 characters long, easy to remember if you know the song, and apparently random. To make it stronger, substitute some numbers, symbols, and uppercase letters. You might wind up with something like: mCt0t^s1O1^0tis.
Over time, a password cracker could still decipher this apparent gibberish, but like many criminals, hackers and software viruses prefer soft targets. With so many 12345 and qwerty passwords out there, why spend time hacking a complex password?
Ideally, you need a separate password for every online account. In practice, few of us possess the memory to remember more than a couple of complex passwords. Encrypted password management software remembers your passwords for you. Just make sure that you choose a reputable, well-written program.