Weak Password
According to yahoo!News, the statistics of 28,000 passwords that are recently stolen from a popular US website that is posted in physorg.com “16 percent took a first name as a password … 14 percent relied on the easiest keyboard combinations to remember such as ‘1234’ ….” People tend to use passwords that are easy to remember such as names, their favorite words, etc. Since most people have many accounts, in order to manage their log in passwords, they intend to chose easy remember password.
One way to prevent people from using weak password is for them to have a built-in password checker when the users register new account or wanted to change their passwords(like the one that is posted here). There should a requirement for the password length and combination. A secure password has to be at least 8 characters long and it “should include a combination of uppercase and lowercase letters, numbers, and symbols.” Moreover, it would be helpful if there are short side note on how to create secure password.
The attacker can compromise people’s accounts using these easy-to-remember passwords and they have about 40 percent chance to get it correct. Other than that, users tend to write their passwords down on their notes or PC. By doing this, attackers can easily get access to users’ computers and get their passwords.
If people think that their account for a website is not that important to them, they won’t even bother to change their passwords to stronger ones. They believe that even though they have weak passwords, their accounts won’t be attacked. On the other hand, people would probably change their weak passwords to more complex ones for financial account such as banking account or private account like Gmail.
Comment by Father_Of_1000000
February 14, 2009 @ 5:52 pm
A lot of sites already use password strength check, such as gmail. It’s not strictly enforced. The problem with enforcing strong password is that you might drive a number of users away. If somebody doesn’t have good memories so that he’ll forget the strong password, then there is no point to even set up an account. Maybe he can learn by clicking on “Did you forget your password?” link enough times.
I think writing down your password is worse than having a weak password in some cases. You never know who will “accidentally” see your password.
If you do write it down, don’t make it obvious. You can use something similar to what the UK banks did, such as writing it backwards or scrambling the letters so that only you know the ordering. You should only write it down to help you remember, and you shouldn’t rely on it every time. Once you are sure that you can remember, destroy the evidence.
Comment by devynp
February 20, 2009 @ 12:16 am
I found that code memo application that I have on my cellphone really useful. With so much passwords to memorize, why not have a password to store all those passwords? We only need to remember one master password to retrieve all the other passwords. I am not sure about the security of such application though. If the attacker were able to obtain the master password, there may be a huge risk on stake.
Comment by jap24
February 20, 2009 @ 7:56 pm
Does anyone else see how hilarious that link to Microsoft’s password strength-checker is? It sounds like one of those “social engineering” experiments.
So, I can go to Microsoft’s password website, enter my password there, and the site will tell me how strong my password is. Except the password strength isn’t worth anything because I just told Microsoft what my password is.
I wonder how many people go there and enter their actual passwords, and expect them to still be secure…
I also wonder how many people would trust a password-strength website with a random domain name. This sounds like fun research.
Comment by eyezac
February 26, 2009 @ 8:12 pm
Even if you have someone’s password, how useful is it if you don’t know their username(s) and which sites the passwords are for? That’s actually not a rhetorical question. Could somebody at the other end of a password checker deduce your browsing history and/or other information just from having you visit a site and enter only your password? If not, maybe the password checker isn’t really that dangerous.