There’s been a lot of talk recently about passwords, password strength and hacked password managers, and even the need to get rid of passwords altogether. While that may not be a bad idea, passwords are going to be with us for some time.
And for decades now, probably since the invention of the first computer password at MIT in the 1960s, these five password mistakes have been made, and it’s weakening everyone’s security.
1 Using the same password everywhere
Too many reused passwords at many sites has caused a problem with logons since long before the Internet, and back into the days of mainframe logins, local area networks and bulletin board systems. It’s evidence of our nature to ease onto the path of least resistance. And with passwords, that means selecting combinations that are easy to remember and type.
A few years ago, security firm Trusteer looked at login information on more than 4 million PCs, and it found that nearly three-quarters (73 percent) used the same password on other websites as they did for their bank.
Fix: Don’t do this: Create unique passwords for individual sites.
2 Using the same username everywhere
Same problem as with password reuse. People want to remember their username, so they use the same username everywhere. No good.
It’s also a problem to use usernames that are easy to guess, such as your name or primary email address. Your username and password combination is a lock, and your username is half of it, so obscure it.
Using the same username and password for multiple sites is clearly bad security hygiene. Especially considering that in breaches, attackers grab those usernames and passwords and slam them against other websites to see what works.
Fix: Mix up your username on different sites and pick ones that aren’t obvious.
3 Creating passwords that are too short
According to much of the research out there, most users create passwords that are six to eight characters long. A few years ago, Troy Hunt studied breached username and password combinations, including over 1,000,000 customer passwords that Sony stored in plaintext, and found that the rare password is less than five characters (bad length) and more than 10 characters (good length).
Fix: In passwords, longer means safer (shoot for 8 or more), so add those extra characters.
4 Not using enough different special characters
Hunt’s research also showed that users don’t use many different characters in their passwords. Most users choose just one character that isn’t a letter or a number. In fact only 4% had three or more different types of characters.
Fix: Use at least three different character types, including numbers, punctuation and symbols.
5: Choosing something that is about their lives
Always a horrendous idea, too many users will choose their name, their pet’s name, the company name, the town they grew up in or a mix of a few known names for a password. While this makes passwords much easier to remember, it also makes them much easier to guess and attack.
Fix: Choose passwords that have nothing to do with one’s name, family, work or life.
While the demise of the password has been predicted for decades now, and one day it’s likely to happen, that day isn’t coming soon. In the meantime we all need to learn how to properly manage this necessary security evil.