Passwords A - 9
Forbidden Passwords, Weak Passwords and Strong Passwords
by Damien Andrews
Like locks on a house, passwords protect our valuables. Passwords protect our bank accounts, our credit card information, our personal correspondence – our very identities. And just like locks for a house, there are weak passwords, strong passwords and passwords that should simply never be used to protect our possessions.
There are passwords that are used, and then hacked, so often that they should never be used. Lists of commonly used passwords are available on the internet in various places. The most complete list I know of was recently taken from the Twitter code and published on the internet in several places. The list has 370 passwords that should never be used. In fact, Twitter will not allow users to employ these passwords. You can get the list at http://www.neowin.net/images/uploaded/Twitter_list.txt. A random sampling of the passwords on the list includes: 112233, amateur, andrea, asdfgh, hockey, peaches, password, secret, scorpion, turtle, winner and zzzzzz.
There are basically three ways that hackers break passwords. 1) Non-random Guessing – using known information about the user such as name, birthday, etc. 2) Automated Character Combination Generators. A program generates random lists of characters and tries them. 3) Dictionary-Based attacks. A program tries every word in the dictionary. Now that the methodology used to hack a password is known, we can quickly eliminate an entire range of passwords that we might otherwise use.
The list of passwords that you should not use would include: any word in a dictionary; your name; your wife's name; your dog's name; your birthday; the name of the company you work for; your alma mater; your street address, and so on. Don't use any passwords that can be linked to you by someone who is trying to hack your passwords using Non-random Guessing or a Dictionary-Based attack. Also, don't use any of the above types of passwords backwards, or by adding a couple of characters before or after the password. Hackers are really good at what they do, and they will break through that sort of password protection. In other words, using aardvark23 as a password is no better than using aardvark as a password.
By following the rules in the last paragraph, you will avoid having your passwords hacked by two of the methods used. Now all you have to cope with is attacks based on Automated Character Combination Generators. These generators, while random, are also very methodical and thorough. Because a computer program is running the generator, it will try countless passwords very quickly. The generator might start trying passwords like this: 1 then 11 then 111 then 1a then 11a then 111a and so on – always adding characters, deleting tried characters and attacking again.
How to make a strong password
Making a strong, safe password is really pretty easy. Here are the rules: 1) The longer a password is, the better. 2) Don't repeat passwords or portions of passwords. 3) Use symbols, upper and lowercase letters and numbers in every password.
A strong password is: X&mq5#[9%\. Now that I've used that password, I would not use the password X&mqf4]g^/ because it contains the first four characters of my last password.
If the thought of managing and retyping safe, strong passwords intimidates – it should. But wait! There's an easy solution to this dilemma – and it's free. The program Roboform is free to download and use for up to 7 passworded accounts. You just download and install Roboform and then sign-in to an account once. Roboform stores the information – very securely – and then all you have to do to re-sign-in is click the correct Roboform link name, which you get to provide. Roboform will also generate exceptionally strong passwords for you, fill out online forms and much more. It is one of my favorite programs. Get the free version at RoboForm.com.