SnowwhiteCyber security has gone mainstream. Nick Helm proved this with his winning joke of the 2011 Edinburgh Fringe Festival.

“I needed a password eight characters long so I picked Snow White and the Seven Dwarves.”

In a time when almost every aspect of our lives is password protected, it is crucial to ensure that your passwords are unique and sufficiently complex.

An article published earlier this year by CNet took a look at the 25 most common passwords of 2014. SplashData gathered the list from a leak of more than 3.3 million passwords during 2014. And after reading the list, it is no surprise they were leaked.

The worst password for two years running is “123456” while the runner up hasn’t changed either, with the enormously imaginative, “password.” Nine of the worst passwords of last year are strictly numerical with variations such as, “11111” and “123123” also making the list.

But there is some cause for hope. Online security expert Mark Burnett assisted with the study. “The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2 percent of passwords exposed. While still frightening, that’s the lowest percentage of people using the most common passwords I have seen in recent studies,” Burnett says.

Take a look at the full list below and please if any of your passwords are listed change them immediately.

1) 123456
2) password
3) 12345
4) 12345678
5) qwerty
6) 1234567890
7) 1234
8) baseball
9) dragon
10) football
11) 1234567
12) monkey
13) letmein
14) abc123
15) 111111
16) mustang
17) access
18) shadow
19) master
20) michael
21) superman
22) 696969
23) 123123
24) batman
25) trustno1

If you now feel the need to change any of your passwords, a good place to start is the Guide to Password Management published by The National Institute of Standards and Technology, or NIST.

According to the NIST, password strength is derived from its length and complexity, which is determined by the unpredictability of its characters.

Many passwords now require characters from more than one of the following four groups: uppercase, lowercase, numbers and symbols. This is a common example of a complexity policy. These requirements increase the number of possible characters from 26 to 95, which in turn increases the number of possible passwords. This increase is positively correlated to an increase in the time required to perform a brute force attack on the password.

For example, a four-digit password could have any of 26 different values (a-z) for each of its four characters. This gives the pin 264 , or 456,976 different combinations. If that same four-digit password can have any of 95 different values (Aa-Zz, 0-9, and symbols) the number of possible combinations increases to 954 , or 81,450,625.

As we proved above, increasing the character set on a four-letter password from 26 to 95 increases possible combinations almost 200 times. However, increasing the password length from 4 to 12, even while only using 26 characters increases combinations by almost 200 billion times.

The NIST emphasizes, that an increase in complexity increases possible combinations somewhat, but an increase in password length increases possible combinations exponentially.

Example:

A password meeting the requirements of: a minimum of six characters and at least one: uppercase, lowercase, and number.

D1sn3y : has 626 or 56,800,235,584 possible combinations

A password meeting just the requirement of a minimum of 26 characters.

snowwhiteandthesevendwarfs : has 2626 or 6.1561196e+36 possible combinations!

In addition to increasing length and character variety strong passwords should avoid common patterns. Most people capitalize the first letter of the password and use numbers and symbols at the end. Other patterns are common substitutions such as the number “1” for the letter “I” or “0” for “O”. Another mistake is to use a common title or phrase. Although these passwords may be long they are predictable. Keep in mind that just because a password meets minimum length and complexity requirements, does not mean it is strong. Attackers are aware of these common patterns and this makes it easier for them to break through using a brute force attack.

If you have the option for storing passwords then you should maximize length and complexity. If you cannot store a password and must remember passwords (better than writing them down) then it is important to maintain a three-tiered approach to password security.

Most Secure: Your most secure passwords should be used for applications and services such as email, credit cards, and banking.

Medium secure: The second most secure passwords should be used for applications where you have some sensitive data but no financial, health or other data that could cause a major problem if it was compromised. Examples of medium security sites may be social media such as Facebook, Twitter, LinkedIn or shopping sites.

Least secure: This is not to say you use a weak password, rather you accept that this is the one that could most easily be compromised by the source. Use this password on all generic sites such as forums and news sites, where you never store sensitive data.

Keep in mind that you shouldn’t use the same password for all three-security levels. It is also very important to treat your primary email password as the most secure level. Your email often offers backdoor access to many sites and services like password resets. So if a hacker gets in to your email they could reset the rest of your passwords thus gaining access.

For more information and to make sure your passwords are strong and ensure your data is secure, contact us at info@ostendio.com for a free copy of the Ostendio Password Policy.

To read the referenced articles:

http://www.cnet.com/news/worst-passwords-of-2014-are-just-as-awful-as-you-can-imagine/

http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf