You might have heard of the MySpace phishing attack at the end of last year. Bruce Schneier has analyzed 34,000 real-world user names and passwords and it turns out, as expected, that most of the passwords people use are quite easy to crack. The most common passwords are:
Common Passwords: The top 20 passwords are (in order): password1, abc123, myspace1, password, blink182, qwerty1, ****you, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey.
But also:
I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric.
A good password would be a long alphanumeric combination of mixed cases. As this is quite hard to remember I advice you to use the first letters of a sentence you can easily remember, for example "The quick brown fox jumps over the lazy dog" will be "Tqbfjotld". (Note: This is just an example, you should not use well known phrases like these, as they might appear in cracker dictionaries.) Use these passwords for MySQL users, Rails database access and in your web application. It is also good advice to check the password when a user is signing up to you application. The problem is that users need many user names and passwords, so they use the same for different applications. OpenID might be a solution.
4 responses so far ↓
1 Rebort // Jun 5, 2007 at 10:35
Careful — common phrases like “tqbfjotld” or “mvemjsun” (Mercury, Venus, Earth, Mars, Jupiter, Saturn, Uranus, and Neptune) will appear in some cracker dictionaries.
2 Heiko // Jun 5, 2007 at 10:58
Indeed - you’re right, this was meant as an example, I clarified the text.
3 graste // Jun 6, 2007 at 3:19
One thing that often bothers me is, that sites don’t allow you to use special characters in your username and password. Often it is not possible to use even email addresses as a login name or part of the password. More often it is not possible to use a password with spaces or special chars like §, $, %, &, @ or whatever else you would like to use for a more secure password. IMHO it should become a good practice to allow at least a few more special chars for passwords (often only underscores and hyphens are allowed) and then let the user know, that he can use them. I think users often use simple words with numbers for passwords, because they are used to it that there are no other characters allowed. So they never get used to the practice of more secure passwords with special characters.
4 lucastej // Sep 25, 2007 at 0:31
My favourite method for creating passwords that are both hard to crack and easy to remember is to use a part of lyrics from a song, for example:
“It’s been a hard day’s night, and I’ve been working like a dog” -> 1bahdn11bwlad.
If you pick lyrics from the middle of some less known song (or a poem) and add some mixed letter or replace chars with numbers, it’s almost impossible to crack it by dictionary attack. It can be very long password and still it’s easy to remember (song, not the password :)).
Leave a Comment