CYBEREYE

One more reason why passwords are no darn good

It might look secure, but even an eight-character, alpha-numeric password with upper and lower case could be trivial to crack.

Take, for instance: !QAZ2WSX. A study by Imperva found this was the most common strong military password.

It appears to be an improvement over favorites identified in 2009, which included “qwerty,” “12345,” and names such as Michael, Daniel and Jessica. But take a look at your keyboard, and you will see that it is an easily predicted series.


Related coverage:

Can't remember all your passwords? Try these tricks.


“We aren’t the only ones who are taking note,” Rob Rachwald said in the post. He displayed a screenshot from a hacker forum that showed the SHA1 hashes for this and a variety of other common sequences.

“Enforcing strong passwords means anticipating all kinds of keyboard sequences,” he wrote. The problem with that is keyboard sequences are a great tool for remembering complex passwords that you are not supposed to write down.

The solution? Rachwald recommends the pass phrase, a series of words that can easily be made long enough to resist brute force attacks. “More importantly, they are easier to remember and harder to crack,” he said.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Tue, Aug 16, 2011 Jeff Arizona

I need to keep track of about 100 user names and accounts, but I only need to remember one COMPLEX password to open the KEE-PASS database file. There are other software applications that do the same thing like ROBOFORM.

Thu, Aug 4, 2011 earth

Good Grief! If someone writes a password system that doesn’t add a long salt to the password before hashing it, they should be fired. A ‘salt’ is a random bit string added to the password before the hash. That makes a hash of common sequences and words useless. Every system should come up with its own salt and one of 512 bytes or so relatively easy to handle. Look at the instructions for installing “wordpress” to see how easy it is.
Problem two, get away from pass”words”. Make it a pass phrase allowing full sentences with full punctuation. (Even a full paragraph.) I know of at least one university system that doesn’t allow more than 8 characters and doesn’t allow any punctuation, what’s up with that. One has to wonder if they restrict the password to being soft so they can hack it themselves. Anything less than this should be considered malfeasance. ( of the privacy act).

Wed, Aug 3, 2011

Humans aren't wired to remember multiple 15 character passwords with varying reset cycles. So people either end up with cheat sheets, or overwork the sysadmins with constant resets. I use an anonymized matrix that never leaves my person. Nothing to steal from my desk, and if I lose my pocket contents, the matrix is so much gibberish to whoever finds it, with no associations to me or any systems. 2-factor CAC authentication is the way to go- the card by itself is useless. But it will be another decade before DoD and the rest of Feds get rid of legacy systems from mainframe/Unix era with UID/PWD front doors.

Wed, Aug 3, 2011 Ft. Meade

Changing your password is rediculous. I don't care what it was, and I don't care what it used to be. Did you lock your car today? Did you set the alarm? Locking your car is "reasonalbe care". Setting the alarm is a waste of time. If anyone hears it? ... they don't even look in that direction. Reasonable care means you don't hinder a person's ability to work.

Tue, Aug 2, 2011 Walter Washington DC

I have over a dozen hardened passwords for different application, many of which have different user IDs as well. They have different requirements, some can be changed slightly, others need to be changed radically, no repeates over last 25 etc. Some reset every 2 months, some every 6. The only practical answer is to write them all down on post-it notes or in a notebook with a pencil so you can erase and put the new ones in. My favorite though, is one that is used for annual updates but has a password that resets every 2 months. So every year, you have to contact the admin and reset your account. The only time anyone uses the silly thing is durring the Sept-Oct FY turnover. Maybe if we start barcoding workers, or embedding subdermal microchips?

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above