The worst passwords of 2012

The worst passwords are the ones everybody else is using.

I’ve been meaning to write more about computer security, but all the topics are complicated. That makes it time-consuming to write about, and potentially dry and confusing to a reader. So I’ve decided to try something new: to write short, narrow posts that address a smaller subset of the topic. In doing this, I realize I am becoming the thing I hate: most blogs annoy me because bloggers write short articles of 500 words or less not because that’s an appropriate length for the topic, but because that’s what’s easy to write in an hour or two.

Part of this short series will be titled “Security Myths and Realities.” My idea is to break through all the outdated and plain false information about computer security and help the regular user get up to date on how experts think.

Myth: Choose a Password That is Easy to Remember

Reality: Totally FALSE! If you are trying to remember all your passwords, you are doing it wrong.

2012 was a watershed year for the venerable password. Last year was the year when the mainstream technology press — periodicals like Wired and Ars Technica — began to publish opinion pieces suggesting that the whole concept of passwords is obsolete, ineffective, and wrong. I happen to agree, but in the near term, it’s irrelevant: passwords are not going away any time soon. To fully explore what’s wrong with passwords as a concept, and why the very idea of passwords is coming under fire, would be another entire article. I can point out the most obvious problem with passwords, though: everyone has too many of them.

For something as complicated to remember as a reasonably-strong password, “too many” is about four. The last I counted, I had 103 different passwords. Since I work as a programmer and I maintain a blog and a couple of other Web sites as a hobby, I admit I am kind of special. I have more passwords than the average user. If you take into account all the unique accounts a modern person has for online shopping, communities like forums and blogs, gaming accounts, banking accounts, and so on, I would not be surprised if the mythical “average user” had need for 20 different passwords. I wouldn’t even be surprised to hear a number like 50.

Don’t even bother to try remembering all your passwords. It’s infeasible, any anyone who tells you otherwise seriously misunderstands the security risks of today’s Internet.

The Wrong Solutions

Trying to remember your passwords is only one of the many bad pieces of advice you are likely to hear. Here are some others.

Re-Using the Same Password on Multiple Sites

Terrible idea! The problem with this is that if an attacker gets his hands on, say, your YouTube password, he’ll immediately try that on your gmail account. And your bank account. It doesn’t matter that he doesn’t know what your bank is: there are few enough banks that it’s worthwhile to write a program to try them all.

While it’s true that re-using the same password across multiple sites reduces the amount you have to remember, it also means anyone who gets one of your passwords gets into many of your accounts. Re-use is probably the worst inherent problem the concept of passwords has. (As a quick aside, I think proposals to replace passwords with some other kind of reusable token, like a thumbprint or retina scan, are completely harebrained for exactly the same reason.)

Remember, I am advising you not to remember passwords at all. Well, you will need to remember one or two, but not more than that. If you don’t have to remember passwords, it is no problem to make them all different. I am proud to say, all 103 of my passwords are very different from one another. Exactly how different, I can’t say. I don’t remember them! It took me two and a half years to fully break the habit of re-using passwords and to establish a unique password for every account. Now that it’s done, my accounts are more secure. I can say that I practice what I preach. Furthermore, I have not “forgotten” a password in a year and a half. How many people can say that?

A Written List

Some people advise you to write all your passwords on a list and keep that near your computer. This can be less bad than it sounds, depending on whom you need to protect yourself against. The first real problem is that anyone who can physically get to your list can read it — or make a copy. At home, this may be safe enough depending on how much you trust your spouse and kids. Someone would have to break into your house to use the list, and for most people, that’s a rare and unlikely event.

At work, keeping a list of passwords is a disastrous idea: any disgruntled co-worker could find that list after hours and take over your virtual life — not to mention, committing real crimes against your employer and framing you for them! So, let’s not keep that list at the office. Don’t even bring that list to the office, which leads me to my second point.

A list is only good when you have it in hand. You could keep your personal passwords at home and your business passwords on a separate list on your computer, but that still would cut you off from your passwords when you’re between home and the office. Forget about logging in to check your bank account from the coffee shop. Keeping lists, whether physical or digital, are totally inconvenient unless you have multiple copies floating around. Multiple copies of a list would be a nightmare! I’m not seriously suggesting that: in addition to multiplying your risk of the list falling into the wrong hands, you’d spend a lot of time and effort trying to keep the different copies up to date.

The Right Solution: A Password Manager Application

Imagine for a moment that you could mitigate the two problems with keeping lists of your passwords: if you could unauthorized people from reading it, and you could be very likely to get access to it when you needed it. It turns out, there’s an app for that!

I use an Android app called mSecure. It keeps an encrypted list of all my 103 passwords, and, since I also bought the PC version, allows me to synchronize that list with my home computer. (I mainly keep the separate copy on my computer for use while my phone is charging, and as a quick-and-dirty backup: it’s unlikely I will lose both my phone and my computer in the same day.)

There are several other programs out there that can help manage the insane number of passwords you have to have to function in today’s society. I used to use something called Password Gorilla, which is free but for the PC only. It is now kind of hard to download and install, so I don’t provide a link. If you want something free, Password Safe looks like a safe bet. That was developed by my favorite, internationally-recognized security expert, Bruce Schneier.

The critical features of a password manager are:

  • The database itself should be password-protected. This is one of two passwords you will still have to remember; the other one is the password to log onto your computer itself.
  • There should be a way to back up the list of passwords and/or synchronize it across multiple devices.
  • It should run on your laptop/desktop computer so you can copy and paste passwords from the password manager to your Web browser. You won’t care how long and complicated your passwords are because you may never have to type them!
  • It should be able to generate strong, random passwords for you, so every time some Web site asks you to provide a new, strong password, you can just press a button and type in the gobbledigook the program generates for you