I suspect that this isn’t really news to most of the people who read this blog, but all the same it’s very important.

Yahoo recent experienced a security breach which resulted in a lot of people’s passwords being exposed – 450,000 in all.

David Harley over on betanews highlights some statistics put together by Anders Nilsson. What these statistics show is that people still use the most basic of passwords:

1. 123456 = 1666 (0.38%)
2. password = 780 (0.18%)
3. welcome = 436 (0.1%)
4. ninja = 333 (0.08%)
5. abc123 = 250 (0.06%)
6. 123456789 = 222 (0.05%)
7. 12345678 = 208 (0.05%)
8. sunshine = 205 (0.05%)
9. princess = 202 (0.05%)
10. qwerty = 172 (0.04%)

In other words, with these Top 10 password you get access to 1% of people accounts. That might not sound like a lot but out of the 450,000 password leaked that’s access to 4,500 people’s information, without even trying. Just think how much money that might be if it was 4,500 bank accounts.

The statistics on password length are equally poor:

Password length (length ordered)

• 1 = 117 (0.03%)
• 2 = 70 (0.02%)
• 3 = 302 (0.07%)
• 4 = 2748 (0.62%)
• 5 = 5323 (1.2%)
• 6 = 79610 (17.98%)
• 7 = 65598 (14.82%)
• 8 = 119125 (26.9%)
• 9 = 65955 (14.9%)
• 10 = 54756 (12.37%)

In other words, nearly 20% (19.62%) of people have a password that is 6 characters long or fewer.

I’ve recently had a number of conversations with people about security of email and twitter accounts. In every instance the people blamed Google, Microsoft or Twitter. When I asked them what their password was a number of them told me straight out, of those that told me all of them were short and simple (also, if someone does ask you your password – don’t tell them).

Length of password and complexity of password are both import, but one comes as a result of the other.

Rather that trying to remember a different password for each of the things that I use I have a different regime depending upon how important the site is. There are lots of places that ask for a password for which there would be very limited impact on me if it was revealed. This password is still reasonably long and reasonably complex, but it’s the same one for all of these sites. There are then a small set of sites that are really important to me and the impact of loosing the password would be significant, I treat these completely differently. They have their own password, they have long complex passwords, and I change them reasonably regularly. This regime enables me to focus my attention on the important things.

Other people I know use a password management tool which, itself, generates strong hidden passwords. Examples of these are lastpass and 1Password.

It doesn’t mater how you do it but please make your passwords longer and more complex.

One day in the future passwords won’t be such an issue, but until then…

Someone once said that there are four ages of man (some have it as five, but four works for my illustration), likewise my experience tells me that there are four ages of remembering a new password:

• Age 1 – Typing the old password right up until it’s about to get locked-out before remembering that perhaps there was a reason why the system wasn’t remembering your password.
• Age 2 – Typing in most of the old password before remembering that you changed it. Sitting for a few seconds trying to recall what the new password is. Mistyping the new password a few times before you get it right.
• Age 3 – Before typing look at the screen and realise that there’s something you should be typing, but are unable to recall what it is. Remembering the new password and type it in.
• Age 4 – Type in the new password every time. Come to a system you use less regularly. Type in your new password a few times before realising that you’ve not changed your password on this particular system. Sit for a long while trying to remember what your old password was, give up and get the password reset.

Or is it only me?