Dear User: Your Password Stinks, Love IT

When it comes to creating solid user account passwords, predictability and duplicability are two major blunders to avoid. If any user in your company thinks he or she is being clever by using the obvious “password” as their password, they should think again. Hackers, however, will certainly appreciate them for making their job easier.

Even slight variations, such as switching an “o” to a zero when spelling out predictable passwords — for example, “passw0rd” — won’t fool anyone. With password theft on the rise, these users could be compromising confidential company information in addition to personal records. Can your company afford to leave this IT security gap [2] wide open?

Many IT workers already encourage co-workers to select strong, secure passwords, but many users ignore this advice and continue to use their easy-to-guess and familiar passwords.

But they’ve been put on notice with the release of the list of the 25 worst passwords of 2011 [3], compiled by SplashData, a password management app maker.

These are the passwords that were successfully hacked, most often, according to SplashData’s study of millions of stolen passwords.

Have you run across any of these passwords in your company?

1. password
2. 123456
3. 12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passw0rd
19. shadow
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football

What Your Business Can Learn From the 25 Worst Passwords of 2011

There are some mysteries on the list, such as the oddly popular “monkey” and “shadow.” But many of the worst passwords are obvious, like those that include sequential numbers (“123456”) or common names (“ashley,” “michael,” and “bailey”), most likely the user’s own or that of a family member or friend. Other bad passwords are based on keyboard layouts, like “qwerty” and “qazwsx.” And with an increasing number of sites requiring more complex letter-and-number combinations, many users now have passwords along the lines of “abc123” or “trustno1.”

While this list is good fodder for a laugh or two, it highlights the fact that password protection is a necessity. Many companies still allow workers to choose their own passwords, and that can work if guidelines are provided to help users avoid the common mistakes of the 25 worst passwords.

Stop putting your information at risk and ensure that company IT security policies include clear rules on creating stronger passwords. BizTech magazine suggests making passwords more secure with these 5 tips:

• Diversify your passwords: Mix upper or lowercase letters, numbers and special characters.
• Use the maximum number of allowable characters: A pass phrase such as “D@dhad$a7shadsal@d” may be easier to remember than “g8Qa3&uP” — and longer passwords are much harder to crack.
• Use special characters first: #, ! and %, for example, are particularly useful when used as the first character, such as “%squid17Ink.” Most password crackers work through alphanumeric character combinations first when trying a brute-force crack, so a special character makes it that much harder to bust the password.
• Stand up to testing: You can check your passwords against a password cracker (there are many available online) to see how well they withstand brute-force attacks. You may be surprised.
• Change regularly: Keep the hackers guessing by changing your password every so often. If you’ve been carrying around the same password for the past 3 years, it’s time to make a change.