Saturday, August 14, 2010
I’m not going to name names, but I heard recently of some WordPress bloggers who had their blog’s “broken into” not because of a vulnerability in the WordPress code, but because their passwords were easily guessed and used.
I vaguely remember a television court drama from a few years ago against a gun safe company, won because a locked gun safe was easily broken into by a child. The combination was very simple like a phone number, 123456 or 654321. For one of these bloggers, their password was their name spelled backwards. The other used the password “wordpress”. Is the password on your blog just as simple?
The most common passwords are:
Names spelled backwards
The word “password”
Single or combination uses of love, god, sex, and money, such as lovemoney or sexgod
According to Wikipedia’s explanation of Password Cracking, “Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs.”
With all of the hype over security vulnerabilities and patches, virus scanning programs, firewalls, and protecting passwords and usernames, people are still really stupid when it comes to choosing and disclosing their usernames and passwords. Wired reported on a MySpace phishing attempt to gain access to usernames and passwords with these results: “MySpace estimates that more than 100,000 people fell for the attack before it was shut down.”
They also reported that “while 65 percent of passwords contain eight characters or less, 17 percent are made up of six characters or less. The average password is eight characters long.” The eight character limit has been trained into us as that was the longest the earliest software programs could handle. It’s not true anymore, but it’s a habit. Is your password eight or less characters long?
Roger Grimes of InfoWorld got some of the information on the MySpace debacle and reported:
*Almost 1 percent of users had the word “password” as, or as part of, their password. Not real clever.
*Words, colors, years, names, sports, hobbies, and music groups were very popular. FYI, your girlfriend or boyfriend’s name isn’t that uncommon in most cases. I, too, luv Brandi, Bob, or Joe.
*The color red was twice as likely to be used in a password as blue. No other colors came close in popularity percentage-wise. I guess “chartreuse” is a relatively safe password choice.
*Other popular words include: angel, baby, boy, girl, big, monkey, me, and the.
*Cuss words were very popular. Boy, there’s a lot of aggression out there.
*I was surprised about how many Christian-sounding — for example, “Ilovejesus” — log-on names were associated with the worst cuss words.
*Names of sports — golf, football, soccer, and so on — were as popular as professional sports teams and college team nicknames.
The strongest passwords are created with letters and numbers, or even with characters such as !@#$%*(). There are also a variety of free online programs that will help you create a complex and not easily broken password. Unfortunately, remembering such passwords is more challenging.
Remembering such passwords for every password need you have, such as with your blog, email, web host, social networking services, social bookmarking services, blog registrations, software registrations, forums, chats, discussion groups…I don’t know about you, but I’m overwhelmed with passwords. I have a clipboard with 12 pages of all the passwords I’ve had with all the various online password accessed services for over the years! How can we remember all of these?
We can’t. Yes, there are now software and browser programs which will “remember” for us, but hit the road, borrow a computer away from home or office and that password program won’t help you then. Still, the passwords we use the most need a method to make them complex but memorable.
A popular technique is to work with acronyms based upon a favorite phrase of music, poetry, or quote, or a simple sentence. For example, “Oh, I just can’t wait to be king” from the Lion King could be abbreviated as:
hiuaaoei (using the second letter of each word)
01j(//7B|Leet Speak Converter)
It also helps to not use the same password for everything you access. Some suggest using the name of the program or service within the password, spelled forwards or backwards or the first or last three or four letters, within their password.
Examples from above for a WordPress (WP) blog might be:
You could easily replace WordPress or WP with ebay, myspace, flickr, or whatever title you need to remember which is which.
Years ago, a security expert told me that if any part of your password is in the dictionary, it can be hacked. The two keys to protecting your password is making it difficult for others to figure out, and don’t tell others. No matter how “honest” their request may appear. According to