Posted on Monday, January 30, 2017 in CybersecurityBlog written by Rob Swenson
Computer users who are lax about online security apparently were feeling romantic in 2016. A few affectionate words crept into SplashData’s annual list of bad passwords.
Among the top 25 words on the security-service company’s ranking of “Worst Passwords of 2016” are “flower” (No. 17), “hottie” (22) and “loveme” (22).
The top entries on the list are predictable. The numerical sequence “123456”repeated as the worst password for 2016 and “password” again came in second place. Those two passwords have been at the top of SplashData’s list for several years.
Other numerical sequences and variations of the word “password” occupy several positions in the current Top 25. Other than “football” (No. 5), sports terms faded off the list.
SplashData, a leading provider of password management applications, examines data mostly from North America and Western Europe to come up with its list. It releases the list to encourage people to use stronger passwords.
The company’s website offers three basic tips about passwords to enhance online security:
- Use passwords of eight or more mixed character types.
- Avoid using the same user name and password combination for multiple websites.
- Use a password management program that randomly generates passwords to log into websites.
Passwords vs. passphrases
There has been quite of bit of online discussion lately about the about the virtues of using passphrases rather than passwords, when possible.
Passphrases generally are phrases or sentences that include spaces between words and are spiced up with random symbols and punctuation marks to make cracking them more difficult. Passwords generally are a shorter mix of letters and symbols.
The biggest virtue of passphrases is that they might be easier for the user to remember. However, they also can be more secure because of their length.
“Passphrases are next to impossible to crack because most of the highly-efficient password cracking tools breaks down at around 10 characters,” according to the website passworddragon.com.
Welivesecurity.com is among other sites that make a case for passphrases over passwords.
“Passphrases (are) longer, more complex and easy to remember; they will help you be more safe and secure,” the site says.
I put the question of passwords vs. passphrases to Chad Pew, manager of IT at SDN Communications in Sioux Falls. He’s a local expert in password security.
“I wouldn’t say that one is more secure than the other,” he says. “It all goes to their complexity.”
In other words, regardless of whether a person uses a password or passphrase, it needs to be long enough and complex enough to make guessing it or deciphering it with computer equipment a difficult task.
Pew uses a password management service to store and keep his dozens of passwords organized and secure. The site automatically generates a new password for his selected destination every time he goes to the site.
Password management systems can be software applications or hardware. They can store encrypted data on site or in the cloud. Typically, a user has one strong master password that provides access to the person’s master database.
That single point of access is also a potential weakness because it also represents a single point of failure. If a master password gets out or a data base gets hacked, all of a person’s passwords might be exposed.
Regardless, a lot of experts endorse the responsible use of password management tools.
Here are some additional tips from welivesecurity.com. The suggestions were written to apply to passphrases, but they also could apply to passwords
- Short passwords are bad. Long passphrases are good.
- Never reuse an old password.
- Use two-factor authentication for added security.
- Use a different passphrase for every account.
- Change your passwords periodically.
Using two-step authentication, when possible, is less obvious than the other suggestions, but it seems like an especially good practice. That’s when, for example, the act of signing into a website sends a code to your phone, and the code also has to be entered to access the site.
The bottom line is to take passwords and passphrases seriously. Don’t settle for something simple, like “welcome” or “I like chocolate,” as your secret word or phrase.