So what is a worried Internet user to do when faced with all of these breaches? There are two concerns. The first is that your account on one of these sites may be compromised. You can generally resolve that problem by changing your password for the affected sites as soon as a breach is announced.
The second problem is more serious. If you use the same user name and password on multiple sites, breaches like this could give cyber-criminals the keys to access much of your data.
Here are some tips on how not to create secure passwords. (Don’t worry, I’ll follow up with a post detailing how to create secure passwords to protect your user accounts, but for now enjoy this Password Selection Hall of Shame.)
Password Fail #1: Use a Simple Password
One thing that password breaches in the past have shown us is that the most widely used passwords are the dumbest. Here are the ten most common passwords:
It turns out that you have a good chance of getting into many peoples’ accounts – and computers – by just typing “123456.” Or even “password.” Or just the six letters on the top row of a keyboard, “qwerty.” Use something uncommon and you’ve reached first base.
Password Fail#2: Use a Password That’s Easy to Guess
Let’s say you have a son named “Chauncey.” When you’re asked for a password that has to be at least 8 characters long, you figure it’s a good idea to use his name. But anyone who can view your Facebook page will see a picture with him, with a comment such as, “Here’s Chauncey on the beach.” That is a pretty obvious clue; many people use the names of their children or their pets as password. And these are easy enough to find as we publish more and more of our private lives in public forums.
Skip over this idea, and you get to second base.
Password Fail#3: Use the Date of Your Wedding (or Birthday, or Child’s Birthday…)
So you got married on 6/23/2004. Since many sites require that you use at least eight characters for a password, you can change this to 06232004; that’s certainly a password you’ll never forget. That would be a good password, right? Not really. First, it’s pretty easy to find; there are all sorts of databases containing that kind of information. Second, plenty of friends and co-workers know the date of your anniversary. Pictures on your Facebook page, details on your personal blog, or tweets like, “Happy anniversary to my sweetheart” are all giveaways. The same goes for your birthday, your child’s birthday, your spouse’s birthday, and so on.
If you don’t use well-known or easy-to-guess dates as your password, congratulations, you’ve just advanced to third base.
Password Fail#4: Use the Same Password on Many Web Sites
It’s a lot easier to remember one password than dozens of different ones, right? So you come up with one really good password and you use it everywhere: Facebook, Twitter, Amazon, eBay, PayPal… Or what if you’ve used it on Linkedin, eHarmony or last.fm, all sites that were recently breached? This is the main reason why cyber-criminals want to harvest passwords. If they get a user name and password and then find that it works on other web sites, they can usurp your identity, and perhaps even liquidate your assets. They can even buy things using your credit card – which is stored on, say, Amazon – and have them shipped to their addresses.
If you avoid these four password failures, you’re well on your way to hitting a secure password home run.
In the next installment, I’ll cover how you can easily create secure passwords to protect your accounts and better safeguard your personal information. In the meantime, have you committed any password fails? Feel free to tell us your personal password mistakes in the comments.