SplashData recently announced its annual list of the 25 most commonly used “worst” passwords. Passwords like 12345, password, 123456, and michael show that, if given the choice, users will continue to select the laziest allowed password (also, the frequency of superman and batman indicates a heavy bias towards DC Comics over Marvel). SecureState frequently comes across similar weak passwords while performing security assessments for organizations. Ironically, these passwords are not just found on the average user’s email account, but frequently on administrative passwords for systems run by information security staff.
Below are a few tips that end users and IT professionals can use to secure their passwords.
1. Use Complex Passwords or Passphrases
SecureState recommends an absolute minimum password length of fourteen characters with complexity. Users should not use any passwords that can be guessed based on personal information easily available to hackers or common words and phrases. Passwords, or preferably passphrases, of fourteen or more characters with upper and lower case alphabetic letters, numbers, and special characters will be much more difficult to guess than single words. The strings below are examples of complex, secure passwords:
- ABRwc2011worklogin
- $m3llycat!!!
- 1Ki77y2074K
![weak passwords, passwords]()
2. Use a Password Manager
2. Use a Password ManagerUsers should never write their passwords on paper or keep them stored in a text file or email. Users can download one of the many excellent password managers available to store all of their passwords. Most password managers have the added ability to analyze your password strength, auto-login to websites, and allow secure password sharing.
3. Don’t Use the Same Password across Multiple Logins
Using the same password across multiple sites increases an attacker’s ability to compromise multiple accounts. A user who uses the same weak password of monkey on a poorly protected social networking site and their bank account greatly increases the ability of an attacker to pivot from accessing your personal information on the social media site to withdrawing money from your checking account.
Although no password is 100% foolproof, taking these steps will make it more difficult for attackers to compromise your personal accounts.