For #&%@’s Sake, Make Your Passwords Stronger

2 minute read
| Quick Tip

Hey, guess what? Your passwords probably suck. Most of our passwords suck. To be fair, mine don’t. They’re stupid long, are random, and I never repeat them. Maybe you do the same. If so, you can read this piece, gloat, and revel in how much better at security you are than your neighbors. Or skip it altogether.

But for the rest of you? Your passwords probably suck. So—for #&%@’s sake—make your passwords better!

Passwords Still Somehow Sucked in 2016

Keeper Security (makers of Keeper password manager, for context) analyzed some 10 million passwords released in security breaches in 2016. Five million of those passwords are in the image below. Oh, sure, there’re only 25 passwords in this image, but they represent half of all the passwords used. Because most of you suck at passwords. Behold:

Keeper Security's Top 25 Passwords from 2016

Keeper Security’s Top 25 Passwords from 2016

 

Do you use a password that is on that list? Change it! Seriously, folks. Make your passwords better. Apple’s Safari will generate fairly strong random passwords. So do all of the password managers (my favorite is 1Password). Use these tools. Use a password manager to keep everything straight. Don’t be lazy.

And that one password that somewhat doesn’t suck*—18atcskd2w—but is still somehow in this list? Keeper Security wrote, “According to Security Researcher, Graham Cluley, these accounts were created by bots, perhaps with the intention of posting spam onto the forums.”

OK, makes sense why it’s there. But call me unreassured.

Basic Password Tips for Improving Your Security in 2017

The reality is that if you’re reading this article, you probably have some interest in making your own passwords stronger, or helping those in your family who need that help. Here are some basic tips for better password security that I am shamelessly reusing from an article Jim Tanous wrote for us in 2012:

1.) Every password should have all these things:

  • Uppercase characters
  • Lowercase characters
  • Digits
  • Symbols

2.) Make them long. Safari generates 15-character passwords. Me? I like mine longer. 15 characters is nice. 18 is nicer. 24 characters makes me a little flush, if you know what I mean. Plus, when using a password manager, longer really isn’t much of an issue. Jim Tanous beautifully explained why length matters, so check out that piece if you’re curious.

3.) Never reuse a password, never use the same password on more than one site.

Again, Please Make Your Passwords Stronger

The badguys are getting stronger. This is just a fact. Criminal organizations, miscreants, and foreign govermnents alike are getting better and better at breaking into accounts, and performing the very breaches that yielded the passwords for Keeper Security to analyze.

On the one hand, your stronger password won’t keep companies who get breached from being breached. But, stronger passwords will make it much harder for the bad guys to access your accounts outside of a breach. In addition, by using different passwords, a data breach at one site won’t expose you on other sites.

*It’s nowhere near long enough, there are no capital letters, and no other characters. It still sucks.

6 Comments Add a comment

  1. Everything you say is true. However isn’t it really time we just admitted that passwords are obsolete? People can’t remember ones that are strong enough to be any good. Things like Password Key et.al. are fine but really they are just making a stronger lance when the enemy is coming at us with tanks. I don’t know what the answer is, but passwords are just obsolete. Even if you have a 24 character password with everything you mention, enough bots can crack it. Social engineering can divulge it. Backdoors and hackers can make it meaningless. It is time, well past time, for a total change in how we keep our systems secure.

  2. I’m noticing a problem similar to the 6-character password problem — a lot of the sites out there allow 15 characters MAXIMUM. Some of the super-long passwords I’ve tried to set in the last two months have either been truncated, without telling me. (thanks to 1Password for noting the actual password the site used!) More worrisome, other websites would refuse to accept a long password for reasons even their tech support couldn’t explain.
    So, even with a super-long password, one has to stay vigilant. Many of the companies out there aren’t even capable of using current strong password practices. Use as strong a password as you can.

  3. Sooner or later we’re going to have to do better than passwords. They’ve gotten so cumbersome for us out here that it’s ridiculous. Yeah, everyone settles for whatever “the new norm” is, but I’m going to be a squeaky wheel. Sure a password management app is one solution, but it’s getting like packing for traveling with a baby if you use someone else’s computer on a trip when you want to use a BIG screen and not a dinky smart phone. Sometimes a smartphone feels like a toy or a settle-for after years of big easy screens mice and keyboards. For graphic designers and visual artists, a smartphone won’t cut it. I’m looking forward to something like fingerprint recognition without it JUST being on our own devices. It’s time for a change.

  4. Scott B in DC

    Ok @geoduck and @maxglitz, what do you suggest? What is better than passwords that can be implemented on a wide scale?

    I deal with large-scale systems on a daily basis. Systems that have to be accessed by a wide variety of people, not just the techno-geeks. No matter the system we use, it’s not going to work.

    Certificates? Think about how you would teach your least technical family member about how to use certificates. Sorry, that technology has not caught up to the user-friendly stage.

    Tokens? You go buy everyone tokens. Oh, right… something equivalent, like grid (or Bingo) cards. Ok… explain that to your non-technical relative. I have to deal with allegedly technical people who don’t get it.

    Soft tokens, like Google Authenticator? Let’s leave the Google as BIG BROTHER issue aside for the moment, not everyone has a smartphone or a device to run the soft tokens. Yes, these people exist but are being forced into a world they are not economically or intellectually prepared to participate.

    Of course, this rules out using SMS on the phone as a second step or factor. Some of those people cannot afford the additional SMS messages.

    Like everything else, there’s the problem with management. Who will be the single point of technical support? Are you going to give the government access to the keys? What about Google (insert BIG BROTHER comments here)? Amazon or Facebook? (Smaller versions of BIG BROTHER)

    Privacy laws in Europe do not allow for a central authority without certain protections. This is why a lot of European-based services do not use OpenID, Facebook Connect, OAuth, or anything similar. If you try to implement it in the United States, you’re going to get pushback from various privacy rights organizations like the ACLU, EPIC, Internet Freedom Foundation, and others. And consider the current state of the technology, I will be right there to protest.

    The concept of a single or global sign-in has been a long-standing debate. Sure, there have been attempts to make it work, but those were technical attempts. The problem with the technical attempts is that it fails when we factor in the human component like greed, piracy, stupidity (not ignorance, that’s a different issue) and those other wonderful nasties that the government has to pay people like me to help clean up after the mess is made!

  5. archimedes

    Users aren’t really to blame for bad passwords when they have to remember them. I believe it was Don Norman who described passwords as a “conspiracy against memory.” Usually any password you can remember is, almost by definition, not a good one. There are tricks to remember more obscure and longer passwords, but it’s better to take humans out of the loop to begin with!

    Safari and iCloud keychain solve the bad password problem somewhat by generating a randomized password that is automatically remembered by keychain so you don’t have to. But why aren’t randomized passwords and client certificates the norm rather than the exception?

    Multi-factor authentication also improves the password situation quite a bit. For example, if an app requires a password, it can easily add other information to the password such as a private, per-session randomized key. Yet multi-factor authentication is also the exception rather than the rule.

    The bad password problem is largely a product of bad system design, namely depending solely on humans to do something that we’re bad at.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account