In today’s society, computer-based user accounts that require a username and password are very common in workplaces, schools, and homes for various applications. E-mail accounts, online bank accounts, social networking profiles, and many other instances of private information are all secured by user created passwords. With so much data at risk, it should be safe to assume people would generate passwords worthy of protecting their assets. However, a study performed by Burnett (2006) of millions of passwords revealed that the top five-hundred user passwords were significantly weak and at extremely high risk of theft. In order to properly safeguard user accounts and associated data, users must disregard sub-par password creating practices and learn to create unique, complex, and robust passwords. A concrete understanding of the composition of a weak password is required prior to attempting development of a strong password. A weak password can be easily guessed, cracked, or stolen for one or several reasons. Examples of weak passwords and explanations of why these passwords are weak will be provided in the next five paragraphs. By avoiding these mistakes, users can strengthen their passwords and ultimately provide better protection of sensitive information.
A password should never consist of regular words that can be found in the dictionary like “soccer” or “watermelon” (Burnett, 2006). First, passwords that consist of common words have the potential to be guessed with enough attempts by a hacker, also known as a brute force attack (Bahadur, Chan, & Weber, 2002). Second, passwords that are dictionary words are vulnerable to another type of brute force attack called a dictionary attack (Nemati, 2011). A dictionary attack is an attack in which a hacker uses software to attempt to guess a password by entering every word in the dictionary (Nemati, 2011). Simply by adding a mixture of special characters, numbers, and letters into a password, a user can help protect their accounts from brute force and dictionary attacks (Bahadur et al., 2002). Default passwords, passwords that are pre-configured company, manufacturer, or vendor passwords, are another example of weak passwords (Nemati, 2008). Most of these passwords are widely known or can be easily found on the internet (Nemati, 2008). Utilizing default passwords basically provides an open invitation to hackers to access your protected information (Nemati, 2008).
Users that wish to thwart this risk should ensure that no account uses any form of a default password. Sometimes a user can create passwords that are so complex that the passwords actually become indirectly weak (Burnett, 2006). In some cases these overly complex passwords are due to strict administrator requirements (Burnett, 2006). When passwords become this complex, users typically can’t memorize their passwords and are forced to write them down somewhere that is not secure (Burnett, 2006). With a password written down in a manner that others can discover it, the password and ultimately the associated account is no longer secure, regardless of the password’s complexity. First, users should never write their entire password down in a place that it can be easily discovered. Second, people should create complex passwords that they can memorize by utilizing techniques such as rhyming, association, offensiveness, and many others (Burnett, 2006). Aging passwords can also make passwords weak, that is using the same password for the same account for an extensive amount of time (Burnett, 2006).
The longer the same password is implemented, the longer someone has to crack or steal it (Burnett, 2006). Some administrators implement password expiration to combat this weakness, forcing passwords to be changed by the user after a certain amount of time, but this can lead to other weaknesses (Burnett, 2006). For example, some users will attempt to cheat this requirement by simply changing the password to another password and then changing it again back to the original password (Burnett, 2006). To combat these additional weaknesses, administrators created password history requirements, a list of past passwords that can’t be re-used until a certain amount of time has passed, and minimum age policies, policies that prevent passwords from being changed until they have reached a pre-determined length of use (Burnett, 2006). In these scenarios, the bottom line is that users should routinely change their passwords to new and unique combinations. Finally, passwords should never contain personal information such as names, pet names, phone numbers, and so forth (Burnett, 2006). Not only are these passwords susceptible to brute force attacks, they can also be gleaned from an advanced technique known as social engineering (Burnett, 2006).
Social engineering is a method in which an attacker utilizes human interaction to trick users into revealing secure information (Gupta & Sharman, 2009). In addition to using this technique to get these personal details for increased chances of success during brute force attacks, social engineering can also be used to manipulate a user into outright revealing their password (Gupta & Sharman, 2009). For example, some attackers will pose as network administrators to users via e-mail or phone calls and convince users that they need their passwords for some type of maintenance (Gupta & Sharman, 2009). To avoid the risks of social engineering, a system user should never reveal their personal information to someone they don’t know or trust, and they should never reveal their passwords to anyone.
One of the best methods for strengthening passwords is to increase the number of characters that make up the password, basically making the password longer (Burnett, 2006). According to Burnett, a password consisting of only five lowercase letters has 11,881,376 possible combinations, but a password containing fourteen lowercase letters has 64,509,974,703,297,200,000 unique combinations (2006). This exponential increase in potential password combinations proves that extending a user’s password length is an excellent method to help secure accounts. The exponentially growing capabilities of hackers, personal computers, and password stealing software (Vacca, 2010) combine to make an overwhelming need for users to strengthen their passwords through a variety of techniques. If users follow a few simple rules when creating their passwords, they can significantly increase the protection of their accounts and their information.
Bahadur, G., Chan, W., & Weber, C. (2002). Privacy defended: Protecting yourself online. Indianapolis, IN: Que. Burnett, M. (2006). Perfect passwords: Selection, protection, authentication. Rockland, MA: Syngress. Gupta, M., & Sharman, R. (2009). Social and human elements of information security: Emerging trends and countermeasures. Hershey, PA: IGI Global. Nemati, H. R. (2008). Information security and ethics: Concepts,
methodologies, tools, and applications (Vols. 1-6). Hershey, PA: IGI Global. Nemati, H. R. (2011). Security and privacy assurance in advancing technologies: New developments. Hershey, PA: IGI Global. Vacca, J. A. (2010). Network and system security. Burlington, MA: Elsevier.