Password Notes

  • strict warning: Non-static method view::load() should not be called statically in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/views.module on line 906.
  • strict warning: Declaration of views_handler_argument::init() should be compatible with views_handler::init(&$view, $options) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 744.
  • strict warning: Declaration of views_handler_filter::options_validate() should be compatible with views_handler::options_validate($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 607.
  • strict warning: Declaration of views_handler_filter::options_submit() should be compatible with views_handler::options_submit($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 607.
  • strict warning: Declaration of views_handler_filter_boolean_operator::value_validate() should be compatible with views_handler_filter::value_validate($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 159.
Leeland's picture

Computer security is not surprisingly greatly underestimated and very misunderstood. To access a computer normally requires 2 items a login name or ID (identification) and a password. The combination of those to items constitutes a key. Like putting a good strong deadbolt on a house, or locking the doors of a car, the login ID and password lock a computer.

Since login ID's are generally your name, or some variation (like first name plus first letter of last name, or vice-versa) the ID is not too difficult to get at. In fact most people's login IDs are used for their email address, which essentially makes them public information similar to the physical address of a home or office.

This means that the password is secret part of access security. The value of a strong password is far more than most estimate. For example, if a password is broken (discovered, guessed, or stolen) not only would all the data be at risk such as financial data, identity data (SSNs, license numbers, birth date, etc.) all the data stored about others (birth dates, full names, children's names, addresses, possibly family information) is also at risk. Further, the cost is also the time and effort that ensues to change all the numbers, clear bad data, and re-gain control of any identities that were stolen. In other words the importance of a secure password cannot be over stated. The password is how a computer verifies that someone logging in is really that person.

Passwords can be stolen or broken in many different ways. For example associates might know enough to guess passwords based on kids names, pet names, birthdays, or anniversaries. The top reason criminals gain unauthorized accesses to a computer is: they guessed someone's password. Often a person's password can be found on a piece of paper next to the their computer. Other times passwords can be stolen simply by watching a person type the password in. Of course there are amazing software applications which are very good at guessing common or short passwords.

== Passwords You Should Never Use ==

According numerous reports, most people still haven't answered the call by security experts to implement more robust passwords. In fact, in a list of the most easy to hack passwords, simply typing '123456' took a truly forgettable top prize.

The company Imperva released a list of passwords most likely to be hacked based on 32 million instances of successful hacking. Imperva named their report "Consumer Password Worst Practices," and some of the entries near the top are truly simple.

The top three passwords all included the simple streaming of numbers: first '123456' followed by '12345' and then '123456789'. Similar entries reappeared at eight and nine on a top ten list. However, the fourth most-hacked password was actually just the word 'Password' followed by 'iloveyou' and 'princess' at spots five and six. (Source:

What the report shows is that people still aren't using effective strategies to protect their sensitive information online. Using these kinds of passwords to protect your email account or, worse yet, banking information, could lead to theft or identity fraud.

=== Top 10 Worst Passwords ===

The following is a list of the most predictable passwords, and should not be used under any circumstances (Source:

# 123456
# 12345
# 123456789
# Password
# iloveyou
# princess
# rockyou
# 1234567
# 12345678
# abc123

== Better Passwords ==

A key finding is that 1 in 3 people choose passwords comprised of six or fewer characters; more than half use passwords based on only alpha-numeric characters; and almost 50 per cent used variations on their name, popular slang terms, or simple strings of consecutive characters from the average QWERTY keyboard -- such as 'asdfg'.

=== Choosing an effective password ===

# The password should be at least 6 characters.
# Mix upper case and lower case characters in your password.
# Mix numbers in the password, not necessarily at the end of the password.
# Mix special characters (for example, #@~).
# Do not use real words, names of people or names of place.
# Do not use a password that someone who knows you may guess (for example, your spouse, child or dog's name).
# Choose a password that will be easy to remember (a line from a song, an expression, initials, associative passwords, etc...).
# Do not write your password down. If you must write it down, protect it as you would your credit card.
# Do not use successive characters on the keyboard as your password (such as qwerty, asdfgh, 12345, etc...).
# Do not use a password that includes user information that is easily obtainable (such as names or initials, a telephone number, ID number, etc...).

Passwords should be simple enough that they won't be too easily forgotten, but the idea is to make cracking the code virtually impossible for either an unknown or known hacker. Doing that seems hard, and if left to purely random characters it would be nearly impossible to remember more than a couple such passwords. However, a few password strategies have been proposed which create strings of random seeming characters while remaining easy for people to remember.

First Letter Method

One good method is to use the first letter of each word in a phrase you can easily remember. For example, "Seattle is great and I even like the rain." would be 'SigaIeltr'.

Poor Spelling Method

Another method is to intentionally use misspelled words strung together using a number or special character. This can be kind of fun such as 'don=tak-dis' or '4braekfast'.

Two Words Stuck Together Method

Just putting some words together with punctuation and no spaces can make a reasonable password. For example "cup glasses pen" put together could be "cuP:Glasses+Pen"

Hacker Leet Speak Method

Many hackers use numbers or punctuation instead of letters to do a basic encrypt of text, as in: h3llo is hello or he!!o is also hello. Don't copy any of these examples, but U s33 wh4t 1 m34n.

=== Changing passwords ===

Many security experts have gotten the idea that changing passwords often is a good idea. This is not really recommended. Password changing should occur based on length of time needed to break it and the value of the data it is protecting. Many companies have a password policy in place where passwords have to be changed every 90 days.

The more often someone is required to change their password the more passwords they have to think up. Therefore, there is a trend over time for the quality of the password to drop as apathy sets in. Many people have reported that they eventually develop some simple algorithm that really creates a poor password, but it still meets the requirements enforced simply because they grew tired of constantly coming up with strong passwords. Therefore, the average quality a frequently changed password will almost always be less than that of a less frequently changed password.

The strength or quality of a password is governed by the amount of time necessary to break the password using brute force methods. Password breaking applications can determine any password less than 6 digits in under a day. The longer and more random the password is the greater the period needed to break it. Strong passwords of 8 digits or more still require more than 10 years of continuous attack to break by brute force. As such changing a password once every five years for a strong 8 character password would be sufficient.

If a password is going to be broken, it will almost always happen through means other than brute force. The standard attack methods (social engineering, PostIt by computer, dictionary word attack, or using personal information) take much less time than a reasonable expire a password. A password that can be broken by the standard attack methods will generally fail in under an hour. Therefore, a strong password changed less frequently is better than a weak one changed frequently.

Changing passwords frequently:

  • Does not prevent brute force attacks,
  • Decreases the quality of passwords used,
  • Increases the likelihood that they will get written down, and
  • Does not help in detecting broken passwords.

However, there are still attacks such as keyboard sniffing, watching someone type the password, or just an insecure link that allows the password to be transmitted in clear text that can compromise even the strongest password. It is true that the longer a password is used the greater the chance it will be detected, stolen, guesses, in other words broken. Also many people have difficulty remembering passwords and therefore the longer a password is used the harder it might be to get use to a new password. It is because there are so many ways to break a password that it is still a good practice to change passwords at some interval.

No matter what is chosen it is important to never reuse previous passwords. Further it might be worth remembering previous passwords if you use the same password in more than one location. Recording past passwords in a secure location could save a lot of trouble in the future if a restored archive is using a prior password long forgotten.

Whatever you do, do not write a password on a sticky piece of paper and put it near your computer.

Thread Slivers eBook at Amazon