Passwords are great! They keep thieves out of bank accounts, ex’s out of Facebook accounts, and spies out of virtual vaults filled with top secret information.

This is true, assuming your password isn’t actually “password” or some other easily guessed word.  ZDNet did an analysis of a recent RockYou.com server breach and found that the most used password wasn’t actually a word.

It’s “123456”  Can you believe it?  I mean come on people, 123456?!

The rest of the most frequently used passwords are equally ‘fascinating’ from a human behavior perspective.  Check out the rest of the list from the ZDNet article.

Thanks to ZDNet for the image!

The different variations of 123456 aren’t too surprising and for YEARS we’ve known that *everyone* uses “password” for their password.  I suppose I’m not so shocked to see it still on there.  “Princess” is a little funny as is using your own name (at least you won’t forget it right?).

But “monkey?” Seriously? 15,294 RockYou.com users all picked that one.

In an effort to protect people from their own laziness, many networks require that you add extra elements into passwords such as symbols and numbers.

Adding a number increases the possibilities of each character in a password.

For instance, if your password was only one character long and it was restricted to the simple alphabet, there would be 26 different possibilities for that password.  If that same one character password included both alphabet and numbers, you now have 36 different possibilities. (Don’t forget that “0” zero counts for numbers!)

Now, typically you’re required to make a password at least 6 characters long. Using the above policy of letters and numbers, a minimum 6 character password with letters and numbers (not case specific) would result in:

1.0314424798490537e+28 possibilities!  (Calculator) What’s that look like without the scientific notation?

10,314,424,798,490,536,936,184,856,096 (Converter)  (Lot’s of passwords for your ex to try!)

Thanks to SECTools.org for the screenshot!That’s a pretty secure looking number! You can see why passwords encourage and sometimes force you to have both letters and numbers.

The problem is that there are a multitude of password crackers out there. These simple ap

plications are designed to figure out your secret as quickly as possible!

These little tools have bad-ass hacker names like “Cain & Abel,” “John the Ripper,” and “THC Hydra.”  And the easier your password is the quicker they get the job done!  Sometimes they’ll even start with the most popular possibilities because they know so many people use them! (That means you, Mr or Ms. I-Use-123456-As-My-Password!)

As tools to break passwords get stronger, network administrators realize that passwords have to get stronger.  Rather than leave your bank account password up to the peasants, they’ve instituted marshal law on your creativity.

Here’s an extremely heavy password policy from a financial company:

Are you overwhelmed yet? You’ll need to create something between 8 to 12 characters long with at least one upper case letter, a lower case letter, a number, and a symbol.

Furthermore, don’t even think about repeating too many of these characters!

Oh and by the way, as soon as you come up with something clever, that you’ll actually remember, the password will likely expire and you’ll have to invent something totally new!

And it’s this last part, the time before expiration where they really get you.  Because unless you can figure out a password creation system that is flexible for monthly changes

(that you can remember), then you’re doomed to either write it down somewhere or click on that “Forgot Password” link of shame every time you want to log in.

When I quizzed Twitter about this frustrating trend, a few tweeple chimed in:

  • @RichKolb said “Sites that don’t allow symbols are what frustrate me, the stronger the password the better!”
  • @DigPhil said “TD Bank; hides your username as you type”
  • And also a thanks to @Brett_Ski for the RT.

First of all, Rich, you’re a monster! It’s people like you that will drive our network admins to require a blood sample along with a 24 digit code! haha!  He must have a cool system down that works well with the latest requirements.

Rich brings up a good point though. Almost every site you go to has different requirements and once you’ve got a $up3r password figured out, it’s hard to go back to just letters and numbers!

It’s craziness like this that drives people to use RoboForm and the multitude of other pas

sword management tools.  These solve the immediate problem of remembering all of your passwords, though I’m sure information security experts cringe at having all of your eggs in one basket!

I’d like to thank Phil for pointing out how extreme TD Bank has gone by hiding not just your password but your user name as you type! You’d better be sure of those typing fingers!  One false move and you get the “wrong password, idiot screen.” Three false moves and you might just be locked out!

Thanks to Roger's Info Sec Blog

The future… What’s a blog post without a hat tip to the future?  I’ll bet you that just as our grandparents are amazed that we have to use passwords, our grand children will be too! (If you already have grand children, then insert 2+ generations.)

Business, government, and military have been experimenting with cards, scans, and all sorts of identification tech for decades now.  Depending on how well these tools play with privacy avengers, passwords may go the way of 3.5″ disks!

Note on Comments: If a site is frustrating you with their password policies, feel free to hate on them in the comments! 😉