Let’s face it. Most computer users are inherently lazy. In order to make things easy on ourselves, we often use the same simple password on multiple websites and devices.
Last fall, a purveyor of password management and security software, SplashData, published its annual list of the 25 worst passwords of the year, a list “compiled from files containing millions of stolen passwords posted online by hackers.” According to SplashData, the top 10 most commonly used passwords (a fact not lost on hackers and crackers) are: password, 123456, 12345678, abc123, qwerty, monkey, letmein, dragon and 111111.
In 2009, following a hack at the popular social gaming network RockYou.com, a staggering 32 million user passwords were published. A cyber security company, Imperva Application Defense Center, analyzed these 32 million passwords and found that users overwhelmingly preferred simple, easy to remember passwords. In the analysis, it was noted that almost a third of RockYou users used short, under six character passwords, a password length that has such a finite list of combinations that it is easy for hackers to use any of several utilities to crack these passwords using a brute force or dictionary technique. In the same study, it was found that about 60 percent of users had passwords using a limited set of alpha-numeric characters, also easy to crack. Almost half of users used slang, dictionary words, names or so called “trivial passwords” consisting of consecutive digits or adjacent keyboard keys. The most common password used, “123456” (used by 290,731 RockYou users), is the same “most common” password noted in other studies of common passwords.
SplashData, Imperva, ESET, and other security companies and services, have widely published a short list of hints and tips about creating more secure passwords that will be difficult to crack. These security recommendations for secure passwords are substantially identical from the different sources, and generally include the following:
1. Use a password with a minimum of eight characters, including both alphabetical (mixed upper and lower case letters) and numerical characters. Many websites also allow the use of punctuation and other symbols as a part of the password; this makes cracking much more difficult. Some password experts suggest using short words with spaces or characters separating the words and maybe a number, such as “i_lOVe-TeXas!0518.” Bruce Schneir, a respected cryptographer, computer security specialist and writer, has proposed this novel idea to create an easy to remember but secure password: “Take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m.” That nine-character password won’t be in anyone’s dictionary.”
2. Never use the same password on more than one site. Hackers and crackers have often found that a user’s e-mail address or username and password stolen from one popular website will often work perfectly on other popular websites, making identity theft, financial fraud, espionage, and other malicious activities easy to accomplish. Bruce Schneir recommends, “If you can’t remember your passwords, write them down and put the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember.”
In order to have the security of unique and complex passwords for each website along with the convenience of a written password listing, several software authors and publishers have created a class of software generically called “password managers.” The password managers are readily available as both free or commercial products, and are widely available for download or purchase. Many of the comprehensive security suites are now also including a dedicated password manager, as exemplified by TrendMicro’s Titanium Maximum Security suite, which includes as one of its components, TrendMicro’s “DirectPass” password manager.
Gizmo’s popular freeware rating and evaluation service, TechSupportAlert.com, has reviewed and rated many of the password managers and posted the results online at techsupportalert.com/best-free-web-form-filler-password-manager.htm. Gizmo gave its highest 10 Star rating and its “Best Product In Its Class” award to LastPass (lastpass.com), the password manager that I have been using for several years. LastPass can safely store passwords “in the cloud” using the same grade of encryption as used by the military (a concern of some users), is accessible from any computer or smart device, works automatically with almost all modern Web browsers (Internet Explorer, Firefox, Chrome, Opera, and Safari), and runs on most major operating systems including Windows, MAC, and Linux. For most users, the totally free version of LastPass is feature rich and is totally satisfactory; for those who desire some additional features, including the portable version of LastPass for use on a variety of smart devices including iOS, Symbian, Blackberry, and Android, the premium version of LastPass is $12 per year. LastPass can automatically fill forms with username and password, fill in personal data on applications and delivery instructions, and provide a host of other services. LastPass will also intelligently capture newly created or changed usernames.