Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+

Mind that password

on October 8, 2009

The phishing attack that led to more than 10,000 Hotmail, MSN and passwords being exposed online earlier this week has provided an interesting glimpse into the mindset of email users when setting up their accounts.

A researcher who managed to look at the 10,000 or so Hotmail, MSN and passwords published an analysis of the list and the strength of passwords used.

According to the analysis, one of the simplest passwords around, ‘123456’ appeared 64 times in the list. Undoubtedly, those account users would do well to change it as soon as possible but judging by people’s attitudes towards passwords, I doubt that many of those 64 account holders will choose anything more complex than adding an ‘a’ at the beginning.

Some of the other statistics are quite interesting. Forty-two percent of the passwords only use lowercase letters from ‘a to z’, while only 6% used mixed alpha-numeric and other characters.

The analysis shows that one-fifth of the passwords were only six characters long although the longest had 30 characters. The shortest was 1 character long.

A good number of passwords were formed using first names which is just as secure as having no password at all.

As Emmanuel Carabott explains, it is very important that people not only create strong passwords but they also change them regularly. Furthermore, it is good practice to use different passwords for different accounts so that if one is compromised, your other accounts or memberships will not be affected.

A lot of people are worried that if they use very strong or long passwords, they will forget them and not be able to access their email. While this is a valid point, it is possible to create a strong password that you can and will remember. For example, you can choose a phrase or a combination of words that are of particular significance: I love chocolate. By changing a few characters you can create a strong password:!loveCh0c0late.

Read the following Technet article for guidelines on choosing strong passwords.

About the Author:

David Kelleher is Director of Public Relations at GFI Software. With over 20 years’ experience in media and communications, he has written extensively for business and tech publications and is an editor and regular contributor to Talk Tech to Me.

John Mello October 12, 20094:55 pm

Creating strong passwords can be a mixed bag. Programs like Roboform have password generators capable of spawning passwords near impossible to crack. Unfortunately, they’re impossible to remember, too. One solution that I’ve found helpful is to pick a memorable name or phrase and turn it into a combination of letters and numbers using a telephone keypad. So something like barrackobama becomes 2a7r2c5o2a6a. To add to the complexity, I will create some additional rules. For instance, every third character will be a shifted one. So 2a7r2c5o2a6a becomes 2a&r2C5o@a6A. You still have to remember your core passwords–like barrackobama–but reproducing their strong counterparts is relatively simple.

David Kelleher October 14, 200910:39 am

Thanks John. That’s an interesting approach and one that most will not find too hard to remember or apply.

Leandro Amore November 25, 20099:48 pm

In my experience the best way to make a user remember his password is the use of phrases. By using this, manage to generate long and strong passwords which are easy to remember by the user. For example you can set something like “Year 09 is over”. It’s easy to remember but it also contains upper case, lower case numbers and special characters (spaces in this case).
I always suggest this to my users with a good rate of success, which i can measure because of the amount of blocked passwords on Monday mornings. ;)

Mike Loogan March 9, 20104:01 pm

I think that other email services might have different authentication options; some of which might be a little tougher. I would look into Hushmail (even with the problems they had), Postini and a new service called JumbleMe.