May 31, 2006

We're #8! Stuart Brown discovers that the Internet's #8 password is... you know. Taken together, his top 10 passwords are used by 1.8% of Internet users. The top 100 passwords are used by an amazing 6.5% of people. (May not apply precisely outside the UK.) If your password is on that list, change it today!
  • I am feeling pretty password savvy right now.
  • wow, gerund, that's an impressive member number you've got there! I think you might qualify for a lifetime lurker award ;) nice to see you on the front page...
  • Let's correct this a bit... first, this is UK specific, so it isn't the "Internet's" top 10, it may be the "UK Internet's" top ten.. But... his statement "Taking an aggregate sample of passwords" begs the question... Where did the data come from. Did he ask the 1st ten people he came across or did he aggregate all the passwords in some huge data base (of UK people).. anyway...still a lesson in not entering the obvious.. use something unique, like, "password"!
  • *sniff* *sniff* . . . Logic!! Get 'im!!! *barking, growling, much to-do*
  • Ha Ha! My password is spankmymonkey and it's not on the list!!!!
  • Wasn't "12345" the combination to the doomsday device in "Spaceballs?"
  • My favorite password formula is (dare I say it) well-night uncrackable, short of some kind of crazy action movie NSA-style attack lasting several weeks. I recommend this to everyone! 1. Choose a short phrase - a song lyric, snippet from a poem, funny quip, whatever. It should be more than two words, and less than about six. (i.e. We're just monkeys with car keys.) 2. Go to Babelfish, enter in your phrase, and translate it from English into some other language. (In Dutch, wij zijn enkel apen met autosleutels) 3. Pick one or more of the non-English words, and substitute them in there. (We're enkel apen with car keys.) 4. Repeat twice more, so that you have three new passwords. Designate them low, medium, and high security - use the low security password for websites such as Monkeyfilter, medium security for (say) your computer at work, and reserve high security for a few select sites such as your bank account. The result will be a password 12-18 characters long which is easy to remember, but impossible to guess. A password this long takes a prohibitive amount of time to crack, even if it was just one long word. (45 years, according to some completely random site I just pulled out of Google.) Using multiple words reduces its crackability significantly. Mixing it up with non-English words means that it's, for all practical purposes, uncrackable. Be sure to mix up your use of the three passwords. Although it's uncrackable, it could still be obtained by several means, including a keylogger, or a site vulnerability that reveals passwords in plaintext. Using a set of passwords acts as a firewall, so that if someone obtains password 1, they only have access to a third of your online data. To make it easier on myself, I like to use passwords in "sets." Use three lines from the same chorus, poem, play, what have you. That way, in a memory loss pinch, you only have to remember which song/poem/play you were using at the time, and you can look up the rest online. Or you can use your daughter's name and birthday - no one will ever guess that one!
  • Almost forgot - any application you use on a public computer (if you check Hotmail from school, or log into monster.com from a library computer, for example) should be using the low-security password. Public computers are filthy with keystroke loggers.
  • Rounding out the bottom of the list is Fred Johnson of Smyrna, Tennessee... his password "squirrel5q1f9sausage". Excellent work, Fred! You can rest assured that no one will break that unique mixture of digits, letters, and words.
  • Right on, mechagrue. I've used an old pass from some free email account, just tumbled and shifted via babelfish, to construct a number of hard to crack passes. Mein gott!!
  • One of the most interesting, proactive security education programs involves creating and sending your own employees realistic-looking phishing e-mails, asking for the employee's logon name and password. Every employee responding with his logon credentials should be required to attend an employee education program (and the more boring, the better). Then send a follow-up test phishing e-mail. Every time an employee responds, he has to attend the class. What's the betting this guy sits on his own at lunchtime?
  • I'm afraid those classes would be full all the time, if my own workplace is any indication. Here we've had stern warnings and tutorials about spam, chain letters, the dangers of forwarding and cc's, etc... still, the lastest 'Forward this to save this lost baby' and multimegabyte powerpoint cute doggie slideshows keep clogging the inboxes. Meh.
  • Still, it's quite worrying that there's such a trend - perhaps the internet and monkeys are inextricably linked? Damn RIGHT!
  • I can remember a password if I've typed it in three times, so I'll usually use a password generator for stuff I care about (PayPal, bank accounts, etc). For stuff requiring less security I'll sometimes use long acronyms, like the initials of the cranial nerves, for example: ooottafagvsh. Can't remember what each letter stands for any more, but it makes a nice password.
  • Ever since I was a kid, I've been making up my own words. Who knew they'd be so useful?
  • The best passwords are 8 or more characters of random upper & lower case letters interspersed with numbers, with no pattern whatsoever.
  • m0nkeyf1L+r?
  • Isn't "8 or more characters of random upper & lower case letters interspersed with numbers" a pattern? Anyway, my master password is written on the bottom of the first floorboard in the downstairs loo. Just on case I forget how to spell "piss_off".
  • Oootah fagwash?
  • The best passwords still have to be changed every three months, according to the rules where I work. So, rather than build something complex and clever, which requires going back and forth to the letters and numbers, and upper/lower case, I make up something with exactly 8 digits. Something seasonal, such as 20xmas05, for instance. end rant Not as secure, but when you are making me change the damn thing so often, you get a compromise.
  • "Isn't "8 or more characters of random upper & lower case letters interspersed with numbers" a pattern?" No.
  • I HATE passwords. Hate'em. And I hate changing them. hmmmm, ok Ih8p@ss! That works.
  • The place where I work casually makes us change every 4 months, which is a total pain in the ass as months can go by between when I work there. It totally decreases security when the pw has to change - secretaries end up post-it-noting it to the monitor or at least the keyboard, people like my father end up inventing stupid schemas (one was vegetables and increasing numbers; I had to do this and did internal organs and numbers - once you knew 1liver1 you could figure out 2spleen2 pretty quickly.) This being said, I'm still really surprised people still use crap passwords like '123'.
  • Good thing my password is a harder to guess word: "Mombasa" D'oh!
  • For years when I first started on computers, my password was "banana". Then, to be super-witty, I started using "notbanana" so that when I wanted to tell #2 my password (this was back before he knew he was going out with a dumbass), I'd say, "Well, it's not banana!" Until I started MoFi up I still used alphanumberic mixed-case variations on that theme. Now I'm somewhat more cautious.
  • Working in a bank requires so damned many passwords that it's a full time job just keeping them straight. We have to lock our computers with a password every time we stand up to get a sip of water, not to mention the 8 million other passwords. (Of course, we also have to swipe a security card to pass multiple portals just to go to the loo, too.) I'm totally hoping for biometrics before senility sets in.
  • cobaltnine, we have the same policy here, and I believe we're not allowed to re-use the last 6 passwords. It's quite a pain.
  • Working in a bank requires so damned many passwords that it's a full time job just keeping them straight. Amen. I had it at the bank AND my current job. I have five different uids and passwords to login into three different midrange servers, plus my Windows password, plus my intranet password, plus my password to Subversion for Java development, in addition to my voicemail password and the ID badge I need to swipe to open doors and run the elevator. They're always changing, natch. Which makes me question that policy -- I don't know that companies really get that much of a security gain from requiring password expiration and not allowing users to rotate them. I think you wind up with people either writing them down or just appending a number to it that they increment -- not to mention all the help desk reset headaches. You'd likely be better off just enforcing one insane password policy (must be written in leetspeak using only the Cyrillic alphabet, every prime-numbered letter must possess an umlaut), and let them memorize that and keep it.
  • Recipe for Passwords Take any two or three memorable words from MoFi: Squee + Werzog + eeked or from a song or a favorite book Jabberwock + Teapot Then stick two or three numbers from a friend or relative's street address, postal code, or telephone number in there after the seventh letter: SqueeWe382rzog Jabberw382ockTeapot Et voila! Nothin' to it. Ye can make up your own recipes varying things like that. Or break a familiar longish word or phrase into syllables. Scramble the syllables up. ho ni soit qui mal y pense becomes malsoitniyhopensequi Or try spelling some syllables backwards. ho ni soit qui mal y pense hoinsoitiuqmalyesnep ;] Fun!
  • Wasn't "12345" the combination to the doomsday device in "Spaceballs?" It was the password to the shield that protected Druidia's atmosphere. And it was President Skroob's luggage combination.
  • Why didn't somebody tell me my ass was so big??
  • This old geezer has been using computers for over 30 years, and back in the day, my unforgetable but virtually unbreakable password was "allenludden". It helped that his name was frequently misspelled. Of course, misspelling is one of my favorite encryption devices as long as it's not a common misspelling: "oximoron" combined with a number felt safe until that "OxiClean" stuff came on the market and muddled everything. Also, mashing together two words that could share a couple of letters, i.e.:"passwordinary". And spoonerisms: I used variations of "oneswellfoop" frequently before I decided to use it as a domain name. Backwords works too; my father's name is not "drawoheel". Passwording can be fun!
  • It seems odd to me that a four-digit numeric PIN is good enough to protect my bank account, while access to my PC at work, which contains nothing interesting or valuable, requires an eight-digit alphanumeric password.
  • Plegmund, you are brilliant. But I think now that we can get to our bank accounts online, they should extend it to 8 numbers... If any of you monkeys are not too creative or just too tired from jumping around the monkey cage, go hit this site that will include all sorts of odd chars which makes the password even stronger. I usually let it generate 25 or so, then try to type them. The one that is easiest to type and remember is the winner...for at least 90 days. Ç└Ïçķ