"123456" - Now the World's Worst Password

Do you insist that your clients all use complex passwords, or do you bow to the pressure of relaxing the rules?

If you’ve been in the IT business for any length of time, you’ve inevitably come across clients who don’t really take password security very seriously. Some individuals genuinely believe that the risk of security breaches is overstated. It’s fair to say they are mistaken.

You’ve probably come across all kinds of attitudes towards passwords. Some IT consultants even encounter company bosses who insist that all passwords (sometimes with the exception of their own) are exactly the same. These bosses are completely blind to the fact that a security breach is often as likely to be caused by a disgruntled ex staff member as someone outside the organisation.

If you’ve still got clients who are stubborn about the importance of password restrictions, the most recent list of “bad passwords” should give you some ammunition to help convince them that they should take things more sriously.

Here are the most commonly used “bad” passwords of 2013, as compiled by SplashData:

1.      123456

2.      password

3.      12345678

4.      qwerty

5.      abc123

6.      123456789

7.      111111

8.      1234567

9.      iloveyou

10.    adobe123

People certainly like those number-based passwords don’t they? While it’s pleasing to finally see the techie’s old favourite of “TrustNoOne” disappear from the top ten, the presence of “password” at number two is rather depressing.

As an IT professional, you’re probably in a position of trust where you know quite a few of your clients’ passwords. Are any of them using any from the top ten list? Even worse, are YOU? If so, shame on you! Go and change them now!

Some Helpful Alternatives

The usual objection to complex passwords is predictable: “How am I ever going to remember them?”

If you’ve ever implemented compulsory complex passwords on a network and stayed present when the change requests kicked in, you’ve probably suffered a tirade of abuse.

The thing is, it’s not really that difficult to create a complex password that is easy to remember. Here are some ideas, both for you and for your clients:

• Use a string of text with a full stop on the end.
• Use a memorable word but place punctuation marks between every letter.
• Use the registration number of a first car, and put a punctuation mark at the beginning and the end. Security experts sometimes recommend against car registrations, but with random punctuation added, they’re pretty secure. They’re certainly better than “123456.”
• If a client wants to stick to a word that’s easy to remember, suggest they add a number and a punctuation mark at the end.

It’s not really that difficult to come up with a complex password that’s easy to remember – your clients might just need some ideas to help. The one thing you shouldn’t do is give in to any insistence on letting them continue to use laughably predictable passwords like those in the list above. After all, it’s your phone that’s going to ring when someone breaks into their network.