How to pick a lousy password

It seems we live in an age where we have to think of new passwords every week.  In the good old days, you could browse a web site, even order stuff, without having to create an identity first. Now, every site wants you to create an ID, in the hope that they can gleam more information about you, and that you are more likely to return in the future.  But picking passwords is a pain.  There are lots of articles on the Web about how to pick a good password. But we all know that’s way too much work. People are basically lazy, right?  Here are a few rules to make your life easier. My sincere apologies if you find your current password covered by one of these rules. Sorry for wasting your time; you have already proven that you know how to be lazy.

1. Your password is the same as your email address, or some portion thereof. Congratulations, you have achieved the epitome of laziness!

2. Your password uses one of your names (first, middle, last, nickname). Still pretty lazy. An attacker now has to try 2 or 3 passwords, instead of just 1 as with the previous method.

3. Your password is a clever sequence of keys. This is laziness with a thin verneer of cleverness maquerading as effort.  You will probably win an award from the Shoulder Surfer Assocation thanking you for picking a password that is easy to swipe. After all, they can be lazy when your password is ”qwerty” or “q1w2e3″ or “abc123″.

4. Your password is “password”, “secret”, or “123456″. Excellent!  Not only are these lazy passwords, they are the sign of a lazy person with no imagination!

5. Your password is your favorite pet, movie, book, song, athlete, team or city.  You win the Facebook Friendly Password prize. Instead of a billion people able to guess your password, as with the previous methods, now only your 300 Facebook friends have a clue.

6. Your password is the name of your spouse, child, girlfriend, boyfriend, or relative. See #5, above.

7. Your password is a super-duper clever phrase, like “letmein” or “ihaveadream”. Gosh, I’ll bet that took you all of 100 milliseconds to think up. Nice work.

8. Your password is a word from the dictionary. Whoa!  This actually took some work.  Not much, but more than the other methods.

How did your password fare?  Did you find yourself on this list?  If so, you have a lousy password. Congratulations!

Now to get serious. Let’s look at the downside of picking a lousy password.

The Conficker worm, which wreaked havoc on the Internet a few years ago, relied on a hard-coded list of several hundred commonly-used passwords.  That’s a pretty sad commentary on the state of security. Pretty good proof that laziness trumps security for many users.

If you think that security problems only arise from outsiders, think again. I know of several instances where a disgruntled employee decided to wreak havoc on the systems. Rather than use their own login ID for this chore, they swiped the password of a colleague.  I’ll bet the colleague wasn’t thrilled to find themselves under suspicion.  Before this happens to you, realize that with a little work, it isn’t too hard to figure out the first few letters of a password just by watching someone’s hands.  Even knowing a letter or two can be quite helpful in figuring out how the rest of the password is probably spelled. If someone sees you typing 7 keystrokes that start with “jan”, it isn’t too hard to guess that the password could be “january”.

Rather than repeat what others have said about picking good passwords for yourself, I’d rather that you called up your favorite web browser and searched on “how to pick a good password”.

If you are a System Administrator for a VOS or OpenVOS system, you can add the privileged set_password_security command to your module_start_up.cm file to restrict the form of passwords that your users can pick. In this way, you can greatly cut down on the use of lazy, easy-to-guess passwords.  You can forbid the use of vowels, which will eliminate most dictionary words. You can forbid repeating characters, which will eliminate passwords like “aardvark” or ”aaaa”. You can forbid use of a person’s user name (or its reverse, or an anagram) as their password. You can forbid re-use of one of the 5 previous passwords. You can prevent someone from changing their password too often (and thus defeating the previous password check). You can require that the password consist of at least two alphanumeric words separated by a punctuation character. You can supply a table of forbidden passwords and thus prevent people from using the local sports team, or name of the month, or company name, as a password.  To do this, make up a tin (table input) file named forbidden_passwords.tin. Each line consists of an entry of the form “/ =password chicago”, where “chicago” is a forbidden password. Compile it using create_table, and copy forbidden_passwords.table to the (master_disk)>system directory. Use set_password_security -forbid_passwords_in_table option to enable it. You can require that the password contain both alphabetic and numeric characters. You can forbid passwords that put the digits at the start or end of the password. Finally, you can require people to change their password away from the administrator-supplied password upon their first login.

I have created a sample “forbidden_passwords.tin” file and placed it on the OpenVOS anonymous FTP site.  See ftp://ftp.stratus.com/pub/vos/doc/reference/forbidden_passwords.tin. Take a look and let me know what you think of it in the comment section, below.

 

 

Tags:

Comments are closed.

//pardot tracking code