Around the holidays it's customary for tech writers to look at the worst passwords currently in use. Lists usually include password, qwerty, 123456, abc123, 111111, letmein, iloveyou, welcome, etc. Also popular are pet names and common given names like michael or ashley.
Reports predicting the demise of password authentication exaggerate how soon this might occur. Rest assured that passwords will be around for a while, so using them cautiously is still vitally important.
Rules for effective password use are drummed into our heads year after year. Most of the following should sound familiar.
• Passwords should be comprised of eight or more characters.
• Passwords should include letters, punctuation, symbols, and numbers.
• Passwords should be changed often, ideally about every three months.
• Password reuse should be minimized (don't use the same password for all your accounts).
People largely ignore this advice, but you might be surprised to hear that techniques like character substitution (replacing an "l" with a "1" or a "3" for an "E") or appending numbers or punctuation marks to words don't necessarily make passwords stronger. Furthermore, password length isn't everything.
Password uniqueness is what really matters. When attackers steal a password database, the first thing they do is sort the accounts by password. Automated attempts to logon to banks, brokerage houses, etc. using accounts with the same password follow. Since accounts with an unusual password do not lend themselves to this technique, time becomes an ally.
If you are unsure whether a password qualifies as "strong," you can easily test it using a free tool provided by Microsoft. The tool is accompanied by suggestions for creating strong passwords and conducting safer transactions online.
Another problem with online security is the widespread use of security questions. In many cases, poorly-drafted security questions pose a greater threat than weak passwords.
"Security questions" are supposed to identify you in case you forget your password. Many sites today provide a link ("forgot your password?") so you can reset your password without contacting tech support. Here are examples of queries often used to confirm a site visitor's identity:
• Who was your third grade teacher?
• What was your maternal grandmother's maiden name?
• In what city was your first job?
• In what city were you born?
• What was the name of your first pet?
Strangers should not be able to answer any of these questions, but correct answers can often been gleaned from social networks or genealogy sites.