I’ve seen some passwords to take a few years from my life.
I mean, we all know about dictionary words, right? And we’ve all seen Spaceballs, right? But choosing 12345 as your password is not the only careless option: there are many more! The more I get familiar with user’s password, the more I see how so much alike they all are.
Let’s review some of the commonly used bad password practices:
- Empty passwords. Need I say more? Apparently yes. So what if “there’s only access through firewall from our company’s IP”?
- Dictionary passwords: real English words like ‘falcon‘ or ‘tiger‘. Don’t use these! These are the easiest to attack.
- Well known words: how about ‘Gandalf‘? It’s not dictionary, but it’s popular enough to appear in any respectable list. For that matter, look at how well filtered passwords are on RedHat: you can’t choose a password which is a common first or last name in the US, Italy, or even Israel; which is great!
- Common substitues: enough with ‘1nsi9ht‘ and ‘@dm1n‘! These are almost as easy to break as dictionary words; it’s just a matter of a few more combinations per word.
- Keyboard clustered: say No! to ‘1qa2ws‘. Don’t use ‘$rty&*io‘. They seems to be random at first sight, but look for them on the keyboard: it’s just your common “how shall I create a password that’s so easy to remember I will never forget it?”. Now REPLACE(“remember”, “break”) and REPLACE(“never forget”, “always regret”).
- Children’s names, birth dates, 123456, your car’s license plate number, your Yahoo! mail password, etc. etc. etc.
There are many guidelines for choosing strong passwords. And everyone seems to know about it. But I’m still surprised when I find out the MySQL root password is ‘zxcvbn‘ or ‘pa55wd‘.
MySQL allows for any character in your password, so you may use punctuations, spaces, and other symbols. This is stronger than plain characters and digits.
I think it all boils down to one question: do you really need to remember the password? If so, go ahead and use some personal hints, and make it difficult for the intruder.
If not – and you can store the passwords, encrypted by stronger passwords on a secure server; on plain paper on your bookshelf; behind your mother’s cupboard, embedded between her Bridge winnings notes – then use as strong a password as you can get.
A good tool which I’ve begun to use recently is pwgen. For example:
$ pwgen -cn 32 1 na5thoeh4jaeth9OoMooBiosoophuShi $ pwgen -ycn 32 1 zahC0eehei.tee0pahL3sej2ohv^e8me
pwgen can be instructed to produce or not to produce digits, uppercase letters, special characters, and is very handy.
Conclusion
Not all my passwords are so strong; I make the distinction between critical data, confidential data, personal data; the damage done by exposing a password; etc.
If your server is behind firewall, that means you have a reason for not letting people in. Take the next small step and choose strong passwords for your OS, database, htaccess and the rest of the gang.
@smith,
Thank you; do try not to do marketing on this blog. FIY, all links in comments have rel=”nofollow”