News and information about Data Privacy, Computer Forensics, or anything techie-related.

A recent report showed that in an analysis of 32 million passwords, 5 of the top 10 passwords were a sequence of numbers from 1 to 9 (i.e., “123456″, “12345″, “123456789″, etc.).  Furthermore, studies showed that nearly half of all passwords are considered “weak” or “trivial” by most password systems (in other words, easy to guess or crack).  Considering that many people use the same password for everything (email, subscriptions, banking, bills, etc.), the key point here is to make sure your passwords are as strong as possible, to protect your data.

Among the interesting recommendations from the report:

• Passwords should contain at least eight characters. While this seems like a no-brainer, the analysis of the 32 million passwords showed that 50% were seven characters or less, and 30% were six characters or less!  Shorter passwords are much easier to crack– computers are fast enough where a hacker could  “brute force” crack a short password in just a few minutes.
• Passwords should not be a name, a slang word, or any word in the dictionary. Also, it should not include any part of your name or your e-mail address. This is a variation on the point above — every word in the dictionary fits into a relatively small file that a hacker could run your password against.  These “dictionary attacks” would be the first plan of attack when trying to crack your password. And while using two words combined into one password is a good start, the hacker dictionaries have already taken that into account, literally taking all word combinations in the English language up to fourteen characters!
• Passwords should contain a mix of four different character types – upper case letters, lower case letters, numbers, and special characters (symbols or punctuation). This is the best advice I can give– any password that appears to be gibberish will be nearly impossible to crack. And just like locking your car or setting your house alarm, you want your password to be such a deterrent to crack that it would take too long for a hacker to bother. Think about it– if a hacker used just a list of the top passwords, they could compromise 1000 user accounts in only 17 minutes! So don’t be the “low hanging fruit” by choosing a simple password.
• If there is only one letter or special character, it should not be either the first or last character in the password. This is more of a “human” tendency than a computer one — studies have shown that when people have a special character, they usually put it either first or last. It’s just a tendency, but recent password-cracking programs take that into account. So if you just mix it up a bit, it’ll take longer to crack your password… if ever!!

There are more recommendations from this report (and my own personal advice), which will be coming in a future post.  In the meantime, go change your passwords!!!