Password (not) Protected

Sue Marquette Poremba

This story on stolen passwords caught my attention for a couple of reasons. First, it is from my hometown newspaper, and secondly, I found it moments after seeing a CNET article referencing a Symantec survey on how often we change our passwords. The result: not very often. The survey found that 63 percent of respondents don't change their passwords very often and 44 percent alternate the same passwords on a variety of accounts.


I totally understand why people want to use the same password for multiple accounts. I fall into that group of 44 percent who have more than 20 accounts that require passwords, and I'm sure I'm like a lot of computer users: Some accounts I log into daily, making the password easy to remember, but others I access once every couple of months, and I struggle to remember what password I created for a particular account. Based on my own experiences and conversations with people in different businesses, most people not only access work-related password-protect e-mail accounts, databases, and files, but also will log into bank accounts, Facebook, and personal e-mail on their business computers.


As it states on the Symantec blog:


The fact is, hackers can get through any password if they're given enough time. Your goal should be to make it as painful as possible for them. The name of your child or pet is not going to accomplish that, regardless of how much you love them or how much you like their name.


Hackers use a couple of methods to get past passwords. If they don't try to trick the computer into letting them through, they use software called "brute force dictionaries." This software makes as many attempts as necessary to guess the password. Unfortunately, 123456 and HHHHHH are not going to take long to stumble upon.


Not to mention, similar or re-used passwords make it all that much easier to break into multiple accounts.


There are a number of suggestions to better protect passwords that can be instituted at the enterprise level for both employees and customers who need to log in to use your services. They include:


  • Require a minimum length of characters -- the longer the password, the better.
  • Require use of a mixture of upper and lower case letters, numbers, and symbols.
  • Allow users to create security questions for password retrieval or use questions that are out of the ordinary. Thanks to social media, the answers to many standard questions, like your hometown or your grandmother's first name, are posted online and easy to find.
  • Require passwords be changed regularly. As my colleague Paul Mah wrote:


The security reality of keyword loggers and the pervasiveness of other invasive malware mean that it remains an important practice to enforce regular password changes.

Add Comment      Leave a comment on this blog post
Apr 1, 2010 11:05 AM Luke Luke  says:

I use Sticky Password manager and my passwords are secured. But this is a really nice article and it is true. People don't care about their passwords.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.