We opened the floor to stories about passwords you should never, ever use earlier this month, and our readers didn't disappoint. IT types and the security-passive can learn a lot from what Donny Don't does.
Photo by Freddy The Boy.
It started with a list of passwords you shouldn't ever use at Listable, which was informative, but pretty basic and limited, and probably written half in jest. Of course, following along, our readers had a whole bunch of scary tales of terrible passwords to relate—pray your bank doesn't actually use bank123 on its sensitive machines. But they also had some practical tips on avoiding the kinds of laughable non-security measures they've seen everywhere. Let the good times roll:
• Kicking things off, ZaltanaCebriones illustrated why 12345 is such a bad idea for any password (and why so many of our commenters couldn't help from giggling):
• park3r pointed out the most obvious suspect missing from the list—"admin," which, along with a blank username, is a default for most blue Linksys Wi-Fi routers (and many other models). Similarly, don't pick a password that's one of the other router defaults (thanks to ArcherCatreus for the link).
• d0rk works at a company that forces a password change every 30 days. He noted, however, that it just results in workers picking the easiest password that meets the requirements—as in a MM/YYYY-style password. If you're an IT manager, or a worker who sloughs off a required, regular change, go ahead and read through that comment thread for a few good reasons to change up your least-resistance ways.
• TheOtherHalf and iBoris suggest that a really secure password might be one you don't even know. Learning the finger movements needed to type in a password can give you a seriously secure password that you're far less likely to inadvertently give away. It might be a significant investment of time setting up your muscle memory for that password at first, but after that, shifting up, down, or to the side for a new character set might not be that difficult. Photo by Frenkieb.
• Cwicseolfor had a novel idea for creating passwords, but one you should never use for passwords you might have to type around other people:
When I needed a new password, I'd look at some electronic device on my person (iPod, phone, etc.) —- somewhere on the device would be a serial number or an FCC ID. That way, if I don't remember the password, it's written in small text somewhere near me, but it wouldn't be instantly recognizable as a password. Plus, they were usually alpha-numeric and greater than 6 characters.
In most cases, that's a decently secure password, and one with a nice backup recovery option. But, again, you wouldn't want someone to spot you reading the back of your phone while you're logging into your work terminal. If you've got a software-unlocking solution like KeePass, though, you could implement such a carry-around password as a master unlocker—even security experts think it's cool to write some passwords down.
• ShravantiMarigold offered a smart yet simple solution for those who don't want to memorize a random high-security string of gobbledy-gook, but still want something better than their dog's name:
I always tell people to use a sentence. I drive a 1978 Volkswagon! = IDA78VW! or Living At Home Since 1972 Sux = L@HS72SX or for higher security use high ASCII 149 Is was my street Address in 99= Iwmsai99
Of course, we'd be remiss if we didn't note the many, many readers who don't have to worry about paswords much because of KeePass, the open-source, seriously helpful password manager. Want to get started? Try Gina's guide to securely tracking your passwords.
Thanks for the helpful/funny/snarky password memories, everyone!
