Yet another study confirms what everyone already knows: users don't willingly choose secure passwords. In this most recent study, inTechnology.com reported the following as the ten most common passwords:
1. password
2. 123456
3. qwerty
4. abc123
5. letmein
6. monkey
7. myspace1
8. password1
9. link182
10. (your first name)
While most of these were familiar to me, I must give credit to the creator of “let me in” – the Fort Knox of passwords.
Perhaps this most recent demonstration of the inadequacies of passwords should prompt every company to conduct additional training for their personnel or, at minimum, distribute a memo explaining the importance of using more secure passwords and also provide some specific tips to assist personnel in creating better passwords.
The primary problem presented by requiring secure passwords is that they are generally hard to remember, meaning that if they are used, one of two things will happen: either the user will write a copy of the password down in an unsecure place or, if they remember the password long enough to log in, they will keep their workstations logged on at all times.
As mentioned above, teaching employees some of the tricks used to create secure passwords is highly recommended (e.g., using a one sentence passphrase as the basis for the password and then using the first letter of each word in the sentence to create the actual password, alternating capitals, alternating a known number sequence with the letters of the password, etc.). Another approach is institute two factor authentication (e.g., password and USB token). A third approach is to transition authentication to biometrics. While biometrics and two factor authentication are certainly gaining ground, it will be a very long time before they achieve general use (at least outside the financial services and healthcare industries). This means that for the foreseeable future, strong passwords are going to be our frontline of defense for authentication. It falls on all of us, the security professionals, to continue to make every effort to ensure our personnel are using the strongest passwords possible.
Just remember, “Klaatu barada nikto,” is mine and no one else can use it. The first person who can e-mail me the meaning of the foregoing phrase will receive a prize of inestimable value: a free subscription to my free monthly e-letter “Tech-Law Update.”
