Password advice you can use… maybe

A few days ago, security researchers published a report indicating something that we all know – users use weak passwords and reuse them.  But the Canadian press recently published an article with something that is actually useful:

Online security experts say there are a number of tactics to thwart hackers when it comes to passwords, including changing it regularly and using a hard-to-guess combination of letters, numbers, punctuation and symbols.

But perhaps the best piece of advice is not to use "password" as your password.

The California-based software company SplashData analyzed millions of stolen passwords that had been obtained by hackers and found some dangerously simple choices came up again and again.

The most common was "password," followed by "123456," "12345678," "qwerty," "abc123," "monkey," "1234567," "letmein," "trustno1," "dragon" and "baseball."

Users who have trouble remembering all their online passwords can buy software to automatically — and securely — log them into websites.

I highlighted the important part above.  Security companies routine give useless advice like use passwords with loads of random numbers, letters, and other character keys.  Don’t write them down, either.  And memorize them.

As I have said in the past, this advice is useless.

Rather than giving that advice, perhaps we should say to users “Look, don’t use the easy passwords like ‘password’, ‘123456’, ‘qwerty’, or ‘abcdefg’.”  If users at least don’t use the ones that are easy to guess, then that makes it just a little bit more difficult for hackers to break in.  It won’t stop them forever, but it does make give them an extra hoop to jump.

So rather than telling people what they should do (which nobody does), at least tell them something easy that they shouldn’t do.  It’s a start.

incidentally, the software to automatically and securely log people into websites isn’t that useful, either.  These assume that you are only using one computer.  How many people is that true for nowadays? I use both a PC, a Mac (sometimes), my iPad, and my smartphone.  If I have a secure password software on one of those… how will I get into my web portals on the other devices?

So much for that idea.  Well, at least until someone writes a cloud-version of it and it runs on multiple platforms.