In a recent security breach, 32 million user passwords were exposed by a website.  This data made publicly available was analyzed by the security company Imperva who reported the following conclusions in their report:

• 16% of users choose only numbers for their password
• 30% of users choose the minimum length required for their password
• 40% of users choose all lowercase for their password
• 50% of users use the same (or very similar) passwords across all accounts
• 50% of users choose simple dictionary words or trivial combinations such as adjacent keyboard keys (“qwerty”) for their password.

 From this data it was concluded that a brute force attack could have broken into accounts in 110 attempts, which can be executed in mere milliseconds.  A motivated hacker could take over more than 3,000 accounts in under an hour, 24K in an average 8 to 5 work day. 

 Based on common industry guidelines, less than 1 percent of the 32 million passwords could be considered strong (reference Consumer Password Worst Practices for more details).  Because of the large sampling, it is very likely that these conclusions are representative of the general population, and the conclusions are consistent with similar studies done over the course of the past two decades. 

So do you still think I cannot guess your password?  If you said “no,” then I encourage you to read on and change your password habits immediately!  If you said “yes,” then you are in the minority, and are you as confident about your neighbor’s password?  Your parents?  Your spouse?  Or your children?  Because if I am a hacker, all I need is just one account to be weak and I got you.

 So is your password strong?  Are your accounts protected against brute force attacks?  Read and follow these guidelines for creating a strong password to be sure:

1. Use a combination of UPPERCASE, lowercase, numerals and symbols within your password.  The greater the pool of characters used, the greater the factor of possible combinations, thus reducing the risk of success of a brute force attack.
2. Use a length of 7 or more digits, 10 where possible.  Brute force attacks become significantly less plausible with each additional character in length.  For example, using current desktop computing technology, it takes hours to a few days to iterate 7 digits in a brute force attack, but it takes over a year to iterate 8 digits and a life time to iterate 9 or more digits.
3. Substitute numbers and symbols for letters, such as “1” for “i”, “3” for “E”, “@” for “a”, “$” for “S” and “0” for “o”.
4. Do not use full words or names that are commonly found in a dictionary.  Most brute force tools utilize electronic dictionaries to assist in the password attack.
5. Do not use your name, id or email address as a part of your password.
6. Do not use the same password for all accounts.
7. Do not share your password with others.
8. Utilize a common password scheme or system to ease the memorization of multiple passwords (see below for details).
9. If you use a common password scheme or system, make it unique to you.  For example, always choose to capitalize one or more specific characters.
10. If you need to write your password down, considering writing down a hint instead or disguise it in some manner.
11. Leverage a password checker to validate the strength of your creation.  See Microsoft’s online checker here. 
12. Leverage third party password management software like 1Password,  KeePass, or LastPass.

 Common password schemes:

1. Build your password from a sentence by using the first letter from each word including numbers and punctuation.  For example:  “Cowboys Stadium will host Super Bowl XLV in 2011.” translates to the following password “CSwhSBXLVi2011.”.
2. Build your password using two sentences and adding punctuation in between as filler and include a significant number.  For example:  “My password is strong” and “It is hard to crack in 2010” translates to “Mpis&Iihtci2010”.
3. Build your password using an important event, person, or place, an important number, and a tag for context.  For example:  “Dallas Cowboys” and “1992” translates to “C0wb0y5&1992+Work” for a work password and “C0wb0y5&1992+Bank” for a bank password.

Using these rules, even simple passwords like “helloworld”, “Radiant Systems” and “sweetdreams” can be considered strong and secure as “Hell0W0r!d”, “R@d1@nt&5yst3m$” and “5w33tDr3@m$”.  Using these rules, your accounts will be better protected against hackers like those behind the Imperva report.  Using these rules, we can all sleep better at night knowing that someone has not just drained our bank accounts.  That said, I fear that most people even after reading this article will not change their habits or not change them for long.  Please dare me to be wrong!

Tags: data security, Payment Card Industry Data Security Standard, PCI Compliant, PCI Security Standards

This entry was posted by John Pearson, Director - Data Security & Compliance on Monday, May 24th, 2010 at 9:33 am and is filed under Executive, Hospitality, Retail, Sports and Entertainment. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.