Consumer password worst practices

17 February 2010

In December 2009 a major vulnerability was discovered in the website that led to the breach of 32 million passwords. The hacker posted the full list of passwords on the Internet, providing a unique glimpse into the way users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. After analysing the strength of the passwords, the Imperva Application Defense Center (ADC) found:

  • 30% of users chose passwords whose length is equal to or below six characters.
  • 60% of users chose their passwords from a limited set of alpha-numeric characters.
  • 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among account owners is "123456".[1]

  1. Choose a strong password for sites you care for the privacy of the information you store. This technique is useful: "take a sentence and turn it into a password. Something like 'This little piggy went to market' might become "tlpWENT2m".[2]
  2. Where possible:
    • Contain both upper and lower case characters (e.g., a-z, A-Z)
    • Have digits and punctuation characters as well as letters e.g.,$%^&
    • Create a password at least eight characters long
    • Ensure it is not a word in any language, slang, dialect, or jargon
    • Ensure it is not based on personal information, eg names of family
  3. Maintain separate passwords from internal and external system access. For example, do not use your online banking password within the University of Sydney.

  4. Never share your password with anyone. If you believe someone knows your password - change it immediately.

  5. Never share your UniKey login details with anyone. Sharing logins and passwords is a direct breach of the University's security policy and you should be aware that you are responsible for any activity on your account. Your UniKey also gives access to your personal details in MyHRonline or MyUni.Avoid sharing your UniKey account details to new staff but arranging access to online systems prior to them taking up their duties.

  6. Never respond to emails requesting confirmation of your username and password credentials.

[1] Percentages are approximate and based on the data provided by the ADC.