Are Your Passwords Vulnerable?
The brilliant physicist Richard Feynman became known, among many other things, for cracking safes. One of the keys to his success was his discovery that people often leave combinations at factory settings, such as 25-0-25. People also write down the combination and leave it in a visible place. They also choose easily remembered numbers, such as their birthdays.
People, in other words, were predictable. And still are, it seems. Researchers have found that the three most popular combinations—"1234," "1111," and "0000"—account for close to 20 percent of all four-digit passwords. Furthermore, every four-digit combination that starts with "19" ranks above the 80th percentile in popularity. And month/year—MM/DD— combinations or birth-year combinations remain extremely common. A friend gave me the four-digit combination—her birthyear—to enter her house to feed her cat while she was away. If I gave you the address, you’d be able to gain entry in no time. (Please feed the cat.)
In one analysis, among the most common passwords used, were "123456," "welcome," and the ever-popular "password." Furthermore, passwords tend to be relatively short (usually six to ten characters), simple (mostly alphanumeric characters) and predictable (more than a third were in a common password dictionary). Making matters worse, people tend to use the same password for multiple accounts, so if someone gets into one of the accounts, the others become immediately vulnerable.
And thinking you’re clever may provide little protection. A friend of mine used to use the value of pi as one of his passwords till I pointed out that it’s the seventeenth most popular ten-digit password.
Given the challenge of creating a different and strong password for every one of your accounts, the best alternative, where feasible, may be to use a password management tool. This can help you build a strong password set and securely store it so you don’t have to worry about forgetting your passwords or reusing the same old password for everything. But if you want to continue to use “conventional” passwords, Eric Wolfram recommends these tips:
- Make your password as long as possible, at least six characters, of which at least two are numeric.
- Use as many different characters as possible, including numbers, punctuation characters and, when possible, mixed upper- and lower-case letters.
- Don’t use personal information, which includes anything someone else is likely to be able to figure out.
- Don’t use words, geographical names, or biographical names that are listed in standard dictionaries.
- Never use a password that’s the same as your account number.
- Avoid passwords that are easy to spot while you're typing them, such as 12345 or qwerty (i.e., all keys next to each other).
It’s also recommended that you avoid consecutive or repetitive letters or popular titles or phrases. And don’t write down your passwords. But if you must, don’t leave them where peering eyes will find them.
By the way, if you’re determined to use four-digit passwords, be aware that the least popular combinations are 8068, 8093, 9629, 6835, and 7637. Or at least they used to be, until this tidbit was publicized. So don’t use them.