Saturday, November 26, 2011

25 "Worst Passwords" of 2011

If you see your password below, STOP!
Do not finish reading this post and immediately go change your password -- before you forget. You will probably make changes in several places since.....................

Here is a lists compiled by SplashData: http://www.splashdata.com/
1. password
2. 123456
3.12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passwOrd
19. shadow s
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football
http://finance.yahoo.com/news/25-worst-passwords-2011-revealed-202955980.html
MIAOULIS NOTES: Passwords are one of the two most critical access controls (not logging off is the other) that users must understand to assist their organizations in protecting information (ePHI). 

Many organizations have decided (statisticians) that to prevent the above type passwords, that you should change your password every 60-90 days, have a different password for every system you access, have a length between 8 and 12, not allow you to use previous passwords (10 is a common number), require caps, numbers and special characters to force users to use stronger passwords.  The problem is that users often use passwords such as their last name and #1.  If my password was Miaoulis#1 and I am forced to change it in 60 days, many users simple change the last character Miaoulis#2.  This of course defeats the controls that security admininstrators are trying to implement.  Some systems require you to change more than a certain number of characters. 

Although these technical measures help, it is TRAINING that can change human behavior.  HIPAA requires training on passwords, but are employees trained on how to select a good password or just on what NOT to do?
------------------------------------------------------------------------
MIAOULIS NOTE: ONE TECHNIQUE FOR SELECTING A PASSWORD:
There are many ways to select good passwords.  One technique that I have used is take a sentence and use the first letter of each word, add a special character and a number.
 
Bill loves to play golf every day
Becomes BLTPGED#4
There are other techniques such as combining words and mispelling words in combination with the rules.
------------------------------------
Microsoft offers these hints on selecting a strong password:

http://www.microsoft.com/security/online-privacy/passwords-create.aspx
Create strong passwords:
A strong password is an important protection to help you have safer online transactions. Here are steps you can take to create a strong password. Some or all might help protect your online transactions:

Length. Make your passwords long with eight or more characters.

Complexity. Include letters, punctuation, symbols, and numbers. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. However, password hacking software automatically checks for common letter-to-symbol conversions, such as changing "and" to "&" or "to" to "2."

Variation. To keep strong passwords effective, change them often. Set an automatic reminder for yourself to change your passwords on your email, banking, and credit card websites about every three months.

Variety. Don't use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking websites.

No comments: