Saturday, November 28, 2009

Passwords and User Names

Unfortunately, very little has change by computer users in selecting a password over the past several years. Compare the following list of the top 10 most passwords used in automated attacks reported by the Microsoft Malware Protection Center in Do and don’ts for p@$w0rd$, with the the PC Magazine list of the 10 most commonly used passwords online, published by in 2007:

Microsoft List - November, 2009:
  1. password
  2. 123456
  3. #!comment:
  4. changeme
  5. F**kyou (edited)
  6. abc123
  7. peter
  8. Michael
  9. andrew
  10. matthew
PC Magazine list - April, 2007:
  1. password
  2. 123456
  3. qwerty
  4. abc123
  5. letmein
  6. monkey
  7. myspace1
  8. password1
  9. blink182
  10. your first name)
Similarly, the MMPC provided this list of the top 10 list most common user names used in automated attacks:
  1. Administrator
  2. Administrateur
  3. admin
  4. andrew
  5. dave
  6. steve
  7. tsinternetuser
  8. tsinternetusers
  9. paul
  10. adam

From the report, Francis Allan Tan Seng and Andrei Saygo provide this advice:

"We just want to make users aware of the fact that passwords of around 8-10 characters (the average length of passwords that are normally used for Internet accounts) are used in attacks. Even a long password (10 to 15, or even 20 characters) isn’t good enough if it’s dictionary-based. As seen in the table above, there are passwords in dictionaries that are even using special characters (for example #!comment: ), not only numbers and letters.

You should take good care of what user name and password you're choosing. If your account has no limit on the number of login attempts, then knowing the user name is like having half of the job done. Especially for the user names from the top 10 (and mainly for the Administrator/Administrateur accounts), the passwords shouldn’t be picked lightly.

Usually we choose easy to type and/or easy to remember passwords, but please don’t forget that those passwords (for the moment) are the most commonly used or authentication on the Internet so they need to be strong.

The three basic things to remember when creating a strong password are the following:

1. Use a combination of letters, numbers and special characters. Also, remember that some dictionaries used in attacks have a "l33t" mode, which allows common letter/number-to-special character substitutions (like changing a-@, i-1 ,o-0 and s=$, for example, password = p@$$w0rd). Therefore, mix them in different ways so that they are not predictable.

2. Use a combination of upper and lower case letters.

3. Make it lengthy. A longer password does not necessarily mean it is strong but it can help in some cases."

For additional assistance see Strong passwords: How to create and use them. After creating a new, strong password, use the Microsoft Password Checker.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Clubhouse Tags: Clubhouse, safety, security, story

No comments: