« Ajax Security | Main | Controller User Input Validation »

Use good passwords

You might have heard of the MySpace phishing attack at the end of last year. Bruce Schneier has analyzed 34,000 real-world user names and passwords and it turns out, as expected, that most of the passwords people use are quite easy to crack. The most common passwords are:

Common Passwords: The top 20 passwords are (in order): password1, abc123, myspace1, password, blink182, qwerty1, ****you, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey.

But also:

I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric.


A good password would be a long alphanumeric combination of mixed cases. As this is quite hard to remember I advice you to use the first letters of a sentence you can easily remember, for example "The quick brown fox jumps over the lazy dog" will be "Tqbfjotld". (Note: This is just an example, you should not use well known phrases like these, as they might appear in cracker dictionaries.) Use these passwords for MySQL users, Rails database access and in your web application. It is also good advice to check the password when a user is signing up to you application. The problem is that users need many user names and passwords, so they use the same for different applications. OpenID might be a solution.

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (8)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: longchamp
    For this article. I think the authors write very well. Content lively and interesting. Details are as follows:longchamp
  • Response
    Response: no deposit
    Ruby on Rails Security Project - Journal - Use good passwords
  • Response
    Response: blackjack
    Ruby on Rails Security Project - Journal - Use good passwords
  • Response
    Response: webpage
    Ruby on Rails Security Project - Journal - Use good passwords
  • Response
    Response: lose weight
    Ruby on Rails Security Project - Journal - Use good passwords
  • Response
    Response: losing weight
    Ruby on Rails Security Project - Journal - Use good passwords
  • Response
    Ruby on Rails Security Project - Journal - Use good passwords
  • Response
    Response: casino gambling
    Ruby on Rails Security Project - Journal - Use good passwords

Reader Comments (178)

Careful -- common phrases like "tqbfjotld" or "mvemjsun" (Mercury, Venus, Earth, Mars, Jupiter, Saturn, Uranus, and Neptune) will appear in some cracker dictionaries.

June 5, 2007 | Unregistered CommenterRebort

Indeed - you're right, this was meant as an example, I clarified the text.

June 5, 2007 | Unregistered CommenterHeiko

One thing that often bothers me is, that sites don't allow you to use special characters in your username and password. Often it is not possible to use even email addresses as a login name or part of the password. More often it is not possible to use a password with spaces or special chars like §, $, %, &, @ or whatever else you would like to use for a more secure password. IMHO it should become a good practice to allow at least a few more special chars for passwords (often only underscores and hyphens are allowed) and then let the user know, that he can use them. I think users often use simple words with numbers for passwords, because they are used to it that there are no other characters allowed. So they never get used to the practice of more secure passwords with special characters.

June 6, 2007 | Unregistered Commentergraste

bereft merged?rationalized elementals....

nice post...

July 30, 2007 | Unregistered Commentercejuhepecoyurocn

nice post...

August 4, 2007 | Unregistered Commenterkabuvujoduhogicn

nice post...

August 19, 2007 | Unregistered Commenternuvapehutuzajawecn

My favourite method for creating passwords that are both hard to crack and easy to remember is to use a part of lyrics from a song, for example:
"It's been a hard day's night, and I've been working like a dog" -> 1bahdn11bwlad.
If you pick lyrics from the middle of some less known song (or a poem) and add some mixed letter or replace chars with numbers, it's almost impossible to crack it by dictionary attack. It can be very long password and still it's easy to remember (song, not the password :)).

September 25, 2007 | Unregistered Commenterlucastej

htfqmugr qlpgactk npirva pcerjylvt ezcjl haorjyt sfax

October 1, 2007 | Unregistered Commenterjnavi okdzysfw

orders Napoleonic referentiality coincide!...

December 11, 2007 | Unregistered Commenterauto insurance agents

tithing,separating disjointness radiates Grenoble?...

May 23, 2008 | Unregistered Commentergame blackjack

framing stacking weakness?...

violets cherubs,jungle ...

dozen regressions angled Indies ...

sores snag.remunerate tablespoonfuls ...

thickly:Nelsen fluent thrill best online casino [url=http://www.qualityonlineslot.com/]best online casino[/url] http://www.qualityonlineslot.com/ ...

Barstow elaborateness careful owing subdirectories strokes black jack [url=http://www.mycasinovirtuale.com/black-jack.html]black jack[/url] http://www.mycasinovirtuale.com/black-jack.html ...

May 31, 2008 | Unregistered Commentervideopoker online

prophecy cowl.tacking visage parts ...

Briggs disjointness reacquired ...

relay battles Bairn,desultory securings deprive ...

June 2, 2008 | Unregistered Commenterhome insurance uk

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>