Password advice you can use… maybe

A few days ago, security researchers published a report indicating something that we all know – users use weak passwords and reuse them.  But the Canadian press recently published an article with something that is actually useful:

Online security experts say there are a number of tactics to thwart hackers when it comes to passwords, including changing it regularly and using a hard-to-guess combination of letters, numbers, punctuation and symbols.

But perhaps the best piece of advice is not to use "password" as your password.

The California-based software company SplashData analyzed millions of stolen passwords that had been obtained by hackers and found some dangerously simple choices came up again and again.

The most common was "password," followed by "123456," "12345678," "qwerty," "abc123," "monkey," "1234567," "letmein," "trustno1," "dragon" and "baseball."

Users who have trouble remembering all their online passwords can buy software to automatically — and securely — log them into websites.

I highlighted the important part above.  Security companies routine give useless advice like use passwords with loads of random numbers, letters, and other character keys.  Don’t write them down, either.  And memorize them.

As I have said in the past, this advice is useless.

Rather than giving that advice, perhaps we should say to users “Look, don’t use the easy passwords like ‘password’, ‘123456’, ‘qwerty’, or ‘abcdefg’.”  If users at least don’t use the ones that are easy to guess, then that makes it just a little bit more difficult for hackers to break in.  It won’t stop them forever, but it does make give them an extra hoop to jump.

So rather than telling people what they should do (which nobody does), at least tell them something easy that they shouldn’t do.  It’s a start.

incidentally, the software to automatically and securely log people into websites isn’t that useful, either.  These assume that you are only using one computer.  How many people is that true for nowadays? I use both a PC, a Mac (sometimes), my iPad, and my smartphone.  If I have a secure password software on one of those… how will I get into my web portals on the other devices?

So much for that idea.  Well, at least until someone writes a cloud-version of it and it runs on multiple platforms.

Comments

• Anonymous
  November 24, 2011
  You mean like 1password? Not cloud, but syncs multiple devices and platforms. Also on sale this weekend :)

• Anonymous
  November 24, 2011
  Hi! There is already such a software available on multiple platforms,browsers, devices. It's called LastPass. I use it @home,@work and on my WP7 device and it's great! Try it out! Greetz! P.S. No, I'm not connected to that company in any ways! I'm just someone who uses their products!

• Anonymous
  November 25, 2011
  Definitely take a look at LastPass.  The biggest downside so far is Apple's obstacle to allow an extension for Safari; Windows and Apple platforms including my wife's iPad.  There's a LastPass for the iPad but it's not browser-integrated.  IE, Firefox, Chrome and Opera all have extensions that work on Windows and *nix.

• Anonymous
  December 01, 2011
  Also if you want a paid version of software to remember your passwords, look at Roboform. It too works across multiple OS's to include iOS and Android. It also syncs across all the devices you want it on.