Passwords: Most People Do It Wrong

Quick: What’s your password? Is it 123456? Is it password? Is it abc123? Is it your first name? Surprisingly, for a large number of users, those are the types of words being picked to safeguard private accounts. Not surprisingly, that’s a bad thing.

About a week ago open source forum project phpBB had their site hacked. About 20,000 passwords from users of the site were published to the Internet. Though that’s definitely not a good thing, for security researchers it offered a unique opportunity to study how real users create passwords.

Robert Graham, of Dark Reading, published some findings about the patterns used in the hacked passwords last week. The list of the top 20 passwords from the phpBB data set is not very encouraging. The number one password — used by over 3% of accounts — was ’123456.’ Number two on the list was ‘password.’ Number three was ‘phpbb.’ In fact, almost all of the top 20 most used passwords were variations of those simple themes: numbers in sequential order, keyboard combinations (like ‘qwerty’), or common words or names.

Graham found that between 65% and 94% of passwords were common dictionary words (the latter number being for dictionaries that include commonly used proper nouns, such as “Xbox” or “Pokemon”), and that on average, the words tended to be simple words like “apple” or “orange” rather than more complex words.

16% of passwords matched a person’s first name. 14% of passwords were patterns on the keyboard. 4% were variations of the word “password.” 5% referenced pop-culture, and 4% likely described things nearby to the user when picking a password (such as “samsung,” “viewsonic,” or “compaq”).

The passwords from the hacked phpBB accounts seem to demonstrate a similar pattern found in passwords from a similar breach at MySpace 2 years ago, in which about 34,000 user names and passwords were made public. The top twenty from that attack included password1, abc123, myspace1, password, qwerty1, 123abc, 123456, jordan23, and iloveyou1.

The implications of this are that breaking into many user accounts, for those so inclined, might be a lot easier than people think if they’re using such insecure passwords. Coupled with a January 2008 study by digital communications agency @www that found that 61% of people use the same password for every account they own, you can begin to realize what a potentially huge problem this is.

The reason for both the insecure passwords and the use of the same password over and over again is likely the same: password fatigue. People now have so many account credentials to remember, that it borders on the absurd. In order to keep track of so many different accounts, it appears that most people reuse the same passwords over and over, and often choose easy to remember, insecure phrases. That’s bad form and potentially puts their accounts at risk of being compromised more easily.

One solution, of course, is OpenID. If OpenID were truly universally accepted, then one set of login credentials is all that people would need to remember. Of course, it also means that if your account were compromised, it would give the attacker access to everything at once (though given the current use patterns people exhibit, that’s already the case).

However, if people were to be educated in safe password practices and choose harder to discern random strings of letter, characters, and numbers, and change them often (monthly?), OpenID could make that process easier and more feasible. Thoughts?

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • Sean

    Any recommendations for password creation and storing software?

    I currently have 5 different passwords I use, which vary in security strength. I use each depending on how much of a risk I consider each site.

    Banking, email have very strong passwords
    message boards relatively weak, but nothing like 123456

  • dougoftheabaci

    For those of us who are Mac users we have apps like 1Password. I use it for myself and it comes with a strong password generator that I have making 20 character long alpha-numeric passwords, usually with at least one symbol.

    And then it remembers it for me. This way I can have NSA-grade passwords stored in a secure place without having to remember them all. Just one master. Good times!

  • Tony

    My password for any given site consists of one word/number pair that is significant to me, and either the name or acronym of the site, or something else significant about the site that makes intuitive sense to me. In one sense that means I have the same password for every site, but customized to the site. If anyone finds out the part that never changes, I’m screwed, but it’s easy for me to figure out what the password for any given site is even though each site or service has a slightly different password.

    Not bulletproof, but better than the combination to my luggage.

  • Andrew

    My solution is to use 1Password. I have one master password that is challenging but memorable. Then my other passwords are randomly generated. The only challenge I have is entering passwords on my phone when browsing the web.

  • Anonymous

    That is why all my passwords are based on Muppets characters… Oh darn the secret is out.

  • http://fcOnTheWeb.com ferrari_chris

    This is interesting reading, and validates the work of I have recently been doing to change all my passwords to random character strings with a mix of upper and lower case and numbers.

    Although, this now means I have to keep a notebook of sites and passwords, but I guess writing my passwords down is more secure?

  • joel

    This is actually where I find a password manager app (such as PasswordSafe) useful. It lets me categorize and organize different passwords for different sites, and generates and saves random ones for sites I don’t care much about but need a login to use (ordering pizza, etc). Among other things, this mitigates the risk of one site compromise granting access to many other sites, since every site is still different.

  • Alex Jones (@BaldMan)

    There’s no reason for bad passwords to exist these days. There are some great solutions on the software front (I love 1Password as noted above) and on the services front we’re seeing more options such as OpenId come to the fore.

    I recently wrote up a method that makes it easier for people to create and remember complex passwords that are different per site. I’d love feedback on it as I’m sure it could be improved.

  • http://www.velocityengine.net/ xangelusx

    Another obstacle for users is ridiculous password restrictions. I’m not just talking about forcing passwords to have at least one number. I mean things like:

    It can’t have spaces
    I can only be numeric
    I can’t be one of the last 6 you used
    It can’t be more than 8 characters

    These restrictions are more likely to make a user choose a lazy password than a strong one. I can think of very few reasons why there would be a valid reason to restrict the data (such as entry from alternate media sources like a phone keypad), but in most cases, if you’ve done your homework and are properly escaping user input, there is no reason to limit what can go into a field.

    These limitations particularly frustrates me since I use a not-complex-but-not-easily-guessable algorithm for picking and remembering my site passwords. In most cases my password for any given site will include uppercase and lowercase letters and one or more numbers and/or special characters. But my formula falls to shit when I get a website that won’t accept anything but a 6-digit password.

    Another gripe – It is absolutely unacceptable to write any sort of application that DOESN’T hash passwords in the database!!!! There’s no reason not to. Evar. Evar, do you here me!!!! I suggest that it is the responsibility of responsible programmers to let their users know that their passwords ARE hashed. By consistently telling users when they are protected, perhaps they will be more warry of sites that don’t have a statement regarding the protection of passwords and other personal information.

  • Grizzdj

    I believe that the majority of the problem is as you described. I know I have several email accounts, bank accounts, website logins, etc, etc, and it gets to be a real problem if you can’t remember your password – or sometimes even your login ID. My solution has been to use Keepass for windows (I am assuming the same type of app as 1password) to store all of my login and password combos. I have one super strong password to access the DB and then random generate all of my others. Similar to OpenID, I only have to remember one password. I use this in conjunction with Dropbox to always have my DB file available no matter where I am.

  • http://www.lowter.com lotrgamemast

    I use 2 different levels for my passwords really. One level (with one set password) for the unimportant stuff like forum membership. A next level with a different password for the more critical stuff like my Steam account and another level for stuff like email and paypal accounts.

    I think this apprach works quite well as if someone gets my password on the lower level sites (which is more likely because of less security on these sites) they still can’t access my more important accounts.

    Works well for me.

  • Laz

    I use different “levels” of passwords too… all of them a little bit more secure than “123456″ or “password”. But not random characters strings as strict security rules would suggest. That would imply using a paper notebook, and I don’t want to get to that.

    I think that what everybody needs is some kind of online password manager. Of course that would need to be extra-secure, or we’d all be doomed. :-)

    Does anything like that already exist?

  • aaron_w

    People need to be educated to use good tools for password management; otherwise they will resort to either 1) easy passwords, 2) reusing the same password everywhere, or both. Good tools exist and are freely available (and are not limited to commercial programs for Mac, like the one dougoftheabaci mentions above), but it does still take some time and effort to initially setup and learn to use.
    I recommend using an encrypted password database (in conjunction with a backup scheme, in case the database is lost / corrupted). This way, only one strong password has to be remembered. Pick a good password for the master key, and invest some effort in remembering it.
    I use KeePass (keepass.sourceforge.net), which is for windows and has ports for Linux and Mac OS X (keepassx.sourceforge.net). In addition I have dropbox installed (getdropbox.com) which provides me with an automatically backed up and synchronized folder on my hard drive.
    So, I install the portable version of KeePass (portableapps.com) on a USB flash drive, and when at home/work, use a batch file to open it which makes backup copies to the hard drive and the dropbox folder each time I use it. This way, if I lose or break the flash drive (which has happened), or find myself away from it, I don’t lose all my passwords – there is a backup on my computer as well as on dropbox’s servers, and any other computers I have set to synchronize with dropbox.
    Before I did this, I kept my passwords all on a sheet of paper hidden in my file cabinet, which at least let me choose and remember unique strong passwords; it was more secure from a network perspective, but not very physically secure. I feel more secure with the digitally-encrypted solution.

    Plus, KeePass includes a strong password generator so I don’t always have to think of my own.

  • http://xslt2processor.sourceforge.net boen_robot

    I hope the commenters here realize we’re more “geeky” then your average Joe (the plumber?)… you can’t expect people to actually install a password protected application to keep track of the passwords in their applications. At first, this actually sounds as ridicilous as saying “give me access to your credit money so that I can give money to the merchant”… that’s what PayPal does, and when you think about it, and actually set it up initially, it’s very comforting indeed, but until then, it all looks very mysterious, fancy and confusing.

    For me, I prefer to use the “level” system that lotrgamemast suggests – one or few easy passwords for web sites and other non-encrypted places, and one or few harder passwords for encrypted and more important places like banks, emails, etc. So far, this seems to have worked for me (though I guess, I’ve never really been a target), and I believe it may work well for most people – worst case scenario is that all of your accounts on THAT level get hacked, and you have to come up with a new password(s) for new low/high level accounts.

    Who has the mental memory to remember a different password every month? Unless you have an explicit algoritm by which you generate a password depending on the date and time AND which you can remember and recover easily, no one would bother.

    @xangelusx, password rescrictions are used when the system uses a legacy system that either never used hasing, or never supported it (e.g. imagine if C++ was used for the back end as CGI with no particular hashing library available). Also, and this is something I recently had to deal with personally, it happens when you need to communicate with another system in a potentially unsafe fashion, like (as it was in my case) the command line for example. The other application itself is going to do the hashing and all, but if your communication tunnel breaks, your exposing your system to just as much risk.

  • ZenPsycho

    Here’s a strategy I’ve been thinking about for a while, based on some of this research and some books that I’ve read on the subject.

    Step 1: Generate the user’s password FOR them. Don’t ask them to come up with their own, they will pick something insecure.
    Step 2: Generate easy to remember passwords. This might seem to contradict security, but it can be done as described below.
    Step 3: Don’t store the passwords, instead store hashes
    Step 4: Put a delay of at least 5 seconds between password attempts

    Easy to remember yet secure passwords:

    You need a dictionary of about 32000 words, and when you generate passwords, generate them as combinations of two randomly picked words from the dictionary. For example: HotelStation. Holy shit, no symbols, no numbers, using whole dictionary words. WHAT ARE YOU THINKING MAN? Well, here’s some math. Assuming that our perpetrator has stolen our 32000 word dictionary, to crack a single accouunt, they have to try every combination of two of the words. This amounts to 102.4 billion combinations. With 5 seconds between each attempt, it would take 1624 years to try each one.

    What if we brute forced it? With 12 alpha characters, we know the first one is caps, but since we don’t know the length of the first word, we don’t know where the next caps will be, so to brute force it we have to try both caps and lowercase. this means 26*(52^(11). Since our password may be shorter, lets try 26*(52^7), since we can make sure our dictionary doesn’t contain any words shorter than 4 characters. 26.7 TRILLIAN combinations. So. uh.. an order of magnitude longer than 2000 years. try ~2000,000 years.

    You can’t deny there’s a lot of advantages to this approach.

  • ZenPsycho

    Also, this may seem obvious, but I would like to just point out that

    BananaBattery, BookTakes, ThatSalad, etc. etc. are much easier to remember than AS)!12, and really about as secure.

  • http://www.studio-gecko.com/ XLCowBoy

    So many comments, and yet the problem is still the same:

    We who work in IT, or are exposed to it, understand the gravity of the problem and the implications. Hence tend to be more secure.

    Those who do not understand the gravity of the problem, and the implications, simply are not inclined to care (and some are simply downright stupid – but they can’t be helped even in real life, so they’re an even greater hopeless case on the web.)

    Until the casual masses are educated, this will continue to be a problem.

  • tiggsy

    Changing passwords regularly if you have hundreds of different places to log in to is just not feasible. In any case, many places don’t make it easy to change your password. I have a compromise which I use, and my daughter has told me she does the same sort of thing. I have a main “insecure” password for stuff i don’t mind a lot about, then I have a couple of variations of that that are a bit more secure and a mega-secure one. i have a password i use only for email. and then there are the weird ones where you get assigned a password and can’t change it. i just have to rely on firefox to remember these, but it doesn’t always work (especially with jokers who use flash for signing in), so i get a lot of “forgot password” emails for sites i don’t use very often.

  • ZenPsycho

    suppose your dictionary AND your unsalted hash table got leaked. It would still take a fast computer 118 days (assuming 10ms per hash) to produce a reverse lookup table that would require at least 26 Gibibytes (it’s a real word!) of storage, assuming that we have a dictionary that’s ONLY 4 letter words. Since we don’t, expect these numbers to be somewhat bigger.

    But if you’re up to the point where your password table has leaked, you’ve already lost.

  • http://www.SIX15.com mackman

    “1… 2… 3… 4…”

    “Damn! I have the same combination for my luggage!”

  • kylewbaker

    For you Windows users, just wanted to chime in with my props to KeyPass.

    Like aaron_w I use the portable version (http://portableapps.com/apps/utilities/keepass_portable) and keep it both backed up on a separate drive and synced to a USB key so I run it on a different computer if need be.

    It’s really an excellent open source app (keepass.sourceforge.net)and lets you categorize/group account types, keep notes on accounts, has a strong password generator if you want to use it, and can be extra secured by requiring both a password and a key file if desired.

  • http://nicknotfound.com nicknotfound

    It could be argued that the bigger problem here is that the passwords were able to be exposed in the first place. Storing cleartext passwords is absolutely unacceptable. Period. There is not a situation in which this is warranted or necessary.

    boen_robot mentioned above that there are cases where the passwords must be available in order to call command-line programs using a user’s password. I realize there are plenty of times where we have to maintain legacy systems that we didn’t help create (read: no judgement passed), but for new systems, there are much better ways to handle this.

    One way would be to hash the password and use key-based authentication when calling other services, where the user’s cleartext password (available only during the initial authentication process when supplied by the user via a login form) is used as the key password, and the unlocked key is held in memory until it is needed. (Using the cleartext password as the key password prevents an attacker from unlocking the key with the hashed password in case the database was compromised.)

    Another option would be to hash the web login password and separately store the command-line password encrypted. The web password and command-line password shouldn’t be the same in the first place, because a compromised web password would give an attacker deeper access into the system.

    Regardless of the implementation specifics, the point is that cleartext passwords should never be stored.

    Don’t even get me started on sites that e-mail you your password in the clear after signing up for a new account…

  • rundmw

    I am delighted to hear such unequivocal support (from @xangelusx and @nicknotfound, for example) for the (obvious) best-practice of never storing cleartext passwords.

    I consistently butt heads with my clients on this point. “Why can’t we just send the user his password?”, they always ask, to which I respond “We do not know it. We can only generate him a new one”. They usually seem to be surprised and irritated that their web-developer, sysadmin, webmaster, etc simply does not know the user’s password.

    Not surprisingly, these same clients insist on emailing passwords to users in cleartext. Sigh…

  • http://xslt2processor.sourceforge.net boen_robot

    @nicknotfound
    It wasn’t a legacy system I was dealing with… but it is indeed a closed system. I was dealing with IIS7 registration and user creation. Since I chose not to use ASP.NET, I had to use one of the two other methods – edit the applicationHost.config file, or use the command line. I’d have chosen the first option, but the applicationHost.config file stores passwords in an encrypted form in some cryptographic form I’m not aware of and which I don’t know if PHP can duplicate. The next best thing was the command line. Since the authentication is direct, whereas the registration is indirect (because of PHP), I had to ensure that both were thinking the same password (so accepting any password and sanitizing/hasing it – not an option). Having two passwords was an option, but I chose to make it more convinient for users.

    @ZenPsycho
    I like that idea. I see just one pitfall with it, but that’s only applicable to places like mine – what about those people that don’t know English (well)? Yes, you can always have a dictionary in another language, but what if that language uses cyrillic or hieroglyphs? Not everybody knows how to switch between US keyboard layout and the rest, and the same users which are not likely to know how are also users that would otherwise give weak passwords. I suppose those people would just copy&paste either way (and I’m assuming they can do at least that reliably, though I’ve had to deal with some people that have trouble even with that). Also, if this method gets overused, I believe public dictionaries with likely words are going to appear. Unless your generator also generates a unique, short prefix/suffix that’s not part of the dictionary, then maybe crackers would start to optimize their tactics based on those public dictionaries. Having such a prefix/suffix would ensure they still need some sort of brute force along. For example BigHotel7123 and as80CarBlue seem safer, while still being memorable enough.

  • Nick B

    After reading the article I decided to improve and vary my passwords.
    The first problem I found was that many sites (including my bank) don’t allow you to use special characters in your password.
    The second problem is that one site doesn’t let me log on anymore after changing the password (yes I’m sure I got it right because surely I can’t have made the same typo twice).
    I think that Web sites themselves should take a certain amount of blame for poor passwords.
    I think all sites should:

    Allow special characters
    Tell you how good your password is
    Store hashed passwords

  • Stevie D

    I think that what everybody needs is some kind of online password manager. Of course that would need to be extra-secure, or we’d all be doomed. :-)

    Does anything like that already exist?

    I use Opera’s built-in password manager, but (a) it doesn’t always notice when I first register on a site, so I need to remember til at least the next time I log in, (b) it only works on that computer, so hard to keep track when you’re using multiple machines.

  • quest8

    What is the correct way to create a strong password?

  • http://cydewaze.org cydewaze

    Our office recently increased the complexity our password restrictions. Passwords are now required to:
    - contain both upper and lower case letters
    - contain a number
    - contain a special character
    - be at least 12 digits in length
    - be different than the last 12 passwords you used
    - be changed every 90 days (or every 30 for admins)

    The other day I was helping a user, and he accidentally typed his pw into the username box. It was !1Qqqqqqqqqq

    That meets the requirements, but how secure is it really? He said he once the passwords went to 12 letters, he could never remember what the pw was, so he was always calling the help line. Now he has a post-it note on his monitor with a “Q” on it, so I guess he leaves the first two digits the same and just changes the letter and posts this month’s letter on his monitor. Security at its finest!

  • Vali

    Commander:

    So the password is, 12345… That’s the stupidest combination I’ve ever heard in my life! It’s the kind of thing an idiot would have on his luggage!


    Later…

    Commander:

    Sir, we have the password to the air shield!

    President:

    Excellent! What is it?

    Commander:

    12345.

    President:

    12345?

    Commander:

    Yes!

    President:

    That’s amazing, I’ve got the same combination on my luggage!

  • glenngould

    I have various password generation patterns. I’ll list two of them here:

    -If you are familiar with music notation, think of a part of melody you like and type it as letters (CDEFGAB).

    -Start with a simple word and change part of it (a letter or more) every time you change your password. In time you’ll have a password close to a random one but you’ll remember it as easy as a dictionary word.

  • Andy Mo

    my favourite password trick is to think of a phrase and use the first letter of each word.
    “oh my god i hate my job” would be “omgihmj”
    its something people could remember quite easily as well. but as most of the comments above seem to say its only IT people that would think of something like this.

    However i like the 32000 word dictionary with capital letters. very nice :)

    Would it be worth having a definitive sitepoint article on password hashing for log in systems?

  • Alessio

    Another approach is to automatically (say every 30 days/month) ask your users to choose another password when they try to login, and don’t redirect them until they submit a new password. Instead of relying on users to do so independently, force to do so.

  • ZenPsycho

    “Also, if this method gets overused, I believe public dictionaries with likely words are going to appear.” Like I said, even if you know all the potential words, there’s still 100 billion different combinations to try.

  • ZenPsycho

    “What is the correct way to create a strong password?”

    The idea is to make them such that they’re difficult for brute force methods to break. Brute force, the idea is to basically try every combination, roughly in order of most likely to least likely. You’d better believe that this password table will be incorporated into password cracker dictionaries.

    So you start off with a dictionary attack, and if that doesn’t work, you start with every combination of lowercase letters. Then lowercase and upper case.. then lowercase and numbers.. etc.

    A frequent strategy is to include uppercase, lowercase, symbols, and numbers. This dramatically increases the magnitude of the combinations one needs to check.

    uppercase+lowercase+symbols+numbers = ~72 possible characters. So for a six character password that’s 72^6 or 139 billion possible combinations. Compare to just lowercase alpha- 308 million. The more combinations you force the bruteforcers to have to check, the longer it takes them to try them all. Combine this with a delay on login attempts, and say, a cutoff after 5 attempts with a longer delay, and you effectively block brute force attacks.

    A lot of this seems to me meant to work around length limits though. For a lot of befuddlement and confusion, with 6 symbols and characters, You get basically the same effect by just having a longer password. for just 10 characters of lowercase alpha you get 141 quadrillian possibilities.

  • Squander Two

    I saw some great advice a few years back, but I never see it crop up in these discussions. Pick a memorable sentence and construct yoru password from the first letter of each word. This system lends itself easily to including special characters or numbers or capitals (use a sentence with a proper noun in it), and generates passwords which are very easy to remember and very difficult to crack. For instance, I loved Peter Jackson's films of 'The Two Towers'. gives IlPJfo'T2T'. And then, of course, as others here have mentioned, add something unique to each site, such as am or mZ or whatever for Amazon.

  • ben332211

    Great post, thanks, :)

    In reference to OpenID, it’s really useless for anything that needs to be secure or is important, but may have limited utility for commenting quickly on blogs/websites, say without having to sign up individually…

    See this brief explanation of the problems with it, in regards to pathetically simple phishing:

    http://www.links.org/?p=187

  • http://uni.project-sn.com/ chopsticks

    I base my passwords on levels of importance. Forums I just use simple short password as I couldn’t care too much if my account was compromised as there is no threat to anything really important. On the other hand though, for areas such as banking or PayPal, for each institution dealing with financial stuff I have a different password, whether it be a combination of uppercase letters and numerals, or all just numerals (plus a special character in there somewhere). Other accounts such as for University have another set of passwords which are quite similar (to me) so it’s easy for me to remember, but the average person would probably see no similarities.

    This way all different items based on their importance have different passwords. Sure it’d be a pain by having up to 15 different passwords, but at least it’s less of a pain than something important being compromised because of using the same password as a forum. Passwords aren’t that hard to remember, I think it’s more so which account that you have actually associated that password with which is harder.

  • Lachlan Marsh

    I have a bad memory for passwords and don’t like storing them. My solution is to store them with “personal encryption”. For example (one I don’t use!), would be the registration number of the ford my family owned in 1948 and the date of birth of a person whose initials are given. Weirdly, I can remember things like that but not the actual password.

  • Ton v. Lankveld

    My method is low-tech and probably not safe, but I got a lousy memory for passwords ( and numbers and names and cryptic character combinations, but that’s an other story).

    I got a HTML file with a list of links to sites which require a login. Behind every link I have listed the username and password. So it is no problem to select a unique username and password for every site.

    To make the HTML file more secure, you can put it on a USB stick and only connect it to the computer if needed.

    My 2 cents.

  • http://www.sky-web.net/ Dr John

    I tend to use one of four passwords for all low level things like forums, and much more complex ones for things that really need to be secure.

    This went wrong last year when some forum (or special offer web site) may have had its user/password list cracked as the spare email account I use for signing into some forums / special offers was hacked – because I stupidly used the same password on it when I first set it up many years ago! 10,000 or more spams were sent out in one batch before the ISP closed the email account for excessive use.

    One trick I’ve used is to combine two dictionary words – but words from DIFFERENT languages. This can be very easy to remember, but can easily have 12 – 14 characters, which makes brute force attacks harder.

    The stupidest use of passwords was at a college where I taught – ALL new users were given changeme as the password. You can imagine the chaos when the students realised this. AND at the end of term you were told to change the password. And if you didn’t, it was changed back to, yes, you guessed it, changeme, after the first week or so of the holiday. So during the holidays, and summer in particular, you could enter almost any student’s account, but especially those of students who were leaving and so didn’t bother to change anything (all accounts stayed active until the next academic year started).

    The IT dept thought this one up, as a security idea to force students to change passwords regularly…
    Not one of their best ideas.

  • http://www.dfarkasdesign.com dafark8

    Ways to make a secure password:

    Make a root password and an additional site-specific variable.

    I don’t trust one source to store all of my passwords, and I dont trust using one password for everything. My simple, but I believe elegant solution, and I cannot find the resource where I initially discovered this, is to make a root password with a variable.

    By this I mean make your password:

    MagicSiteWordPoint for sitepoint,

    MagicFaceWordBook for facebook,

    MagicTwitterWord for twitter and so on.

    I actually have a handful of roots and methods of adding variables depending on the site in question, but since i switched to this method i have never needed to request a forgotten password… rather then try to be clever about a uniqe password, i know my root and can guess in 2-3 tries what i made the variable.

  • http://www.productionsbybonh.com bonh

    I just write my passwords in another language. Problem solved!

  • anynamewilldo

    The problem begins with all sites wanting you to register. This forces people to create bad passwords. In my case, I have to sign up for something almost daily. Everyone wants my name, email, dob, etc. Information I give to no one. (Why do they even ask this information when they know 90% of people are giving fake info?) So I use Roboform. It creates an identity for me…fake name, fake address, fake phone and a junk email account and a simple password and fills it all in automatically. I think studying passwords from sites like this or cnn.com are useless. No one is trying to break into your cnn account, and even if they did, it wouldn’t matter to you. I think studying the security of banking passwords would give you a better idea of what people use as their REAL password.

    And it is very irritating when sites tell me my password isn’t strong enough. I know it’s not. And I’m fine with that. I have had sites so restrictive that it took me a 1/2 hour to come up with a password. Just so I could forget it everytime I needed it and have to spend an hour resetting it and coming up with a new one. This only forces you to write down the password in multiple locations and store it on your hard drive. Hardly safe if it’s an important account. One site,I kid you not, took me 2 hours to come up with an “acceptable” password. The password it finally took?

    90457$Any_Fuc_king_Pass_w0rd_Will_D0$2183

  • graphicmist

    Many people here said they use some password manager app for storing their passwords. i think its the best practice but what if u have to acess ur account from some other pc or from some other place then ur password manager is not there.

    And criticizing openid is not valid. there is a risk of phising in openid but at the same time it give you facility to log in in various websites by remembering single password. now what u can do is make that pass as strong as possible. have u checked the openid of yahoo …its like openid.yahoo.com/213ghkagsdiu21312 some random number which is not easy to hack. so the open id providers are doing their best to protect ur accounts.

    ” If i put by computer switched off, surrounded by thick concrete walls in a box of heavy metal kept in a high security room through which even a insect can’t pass through, fully vacuumed even then i have my doubt’s… ”

    Nothing is safe in this world you can only take precautions.

  • VWXYZ

    this actually made me change my Password.

    Once I used one Password, its still the one I use for my very old accounts like youtube, then I moved on to a tiny bit more secure password (the new one completely eliminated social engineering option)

    Now, think I’ll just put the two passwords after each other! And problem solved. For high priority sites (with bank account accesses) I’ll throw in a number or five. I already use a modificed version of my newest Password on my PlayStation Network account (remember, it have accesses to my bank account) And I don’t see anyone easily break that one.

  • Henry

    It should be noted that the sample was flawed. Graham only analyzed the passwords that were broken by an earlier dictionary attack; i.e. just the weakest in the stolen database.

    ~H