Fix your passwords (and use two factor authentication!)

Recently Keeper Security looked at 10 million stolen passwords and their blog post of the most popular passwords has me thinking. Two main thoughts actually:

  • Why do people (individual consumers) put so little effort into passwords after all the press we have seen?
  • And – why are companies still not following best practices when it comes to allowing consumers to create these passwords?

Where have these people been? And why are they allowed to continue such sloppy bad practices?

What are the top 10 passwords found in those 10 million stolen passwords in 2016 according to Keeper Security’s findings:

  1. 123456
  2. 123456789
  3. qwerty
  4. 12345678
  5. 111111
  6. 1234567890
  7. 1234567
  8. password
  9. 123123
  10. 987654321

Guess what were the top 10 most common passwords back in 2010 (from passwords stolen from the rockyou site – so a much smaller data set)?

  1. 123456 (still number 1 in 2016)
  2. 12345
  3. 123456789 (moved up to number 2 in 2016)
  4. password (at least it dropped to number 8 in 2016)
  5. iloveyou
  6. princess (where did this come from?)
  7. rockyou (remember the name of the site?)
  8. 1234567 (moved up one spot in 2016)
  9. 12345678 (moved up to number 4 in 2016)
  10. abc123

Looks very similar, huh? We haven’t learned anything in 6 years!

I am just like everyone else. I have a limited number of passwords I use at most of my web sites. Security experts would suggest you have a totally different password for every site you go to and you keep them safely in your head (or use a password manager!). I can’t do that. There is just no way. But I do have a few simple passwords I use for “normal” sites. And I have special (more complex) passwords I use for more sensitive sites like my email. And then very secure sites, like my banking web sites, I do have unique separate very complex passwords for each of them. I don’t have the best memory (honestly, I have a pretty bad memory). But I follow some simples rules, the first being never ever ever use a word from the dictionary with all lower cases. Even the lowest level password I have is a mixture of upper and lower case and numbers. And it’s not a word in a dictionary, but it is something I can remember easily.

Simple rules of thumb when picking a password are:

  • Pick something you can remember (a sticky note is not secure! and if you have to write it down, don’t tape it to your monitor!)
  • Don’t use any part of your name, your user name, your spouse’s name, your kid’s name, your dog’s name, etc.
  • Don’t use your birthday, your kids birthday, your street number, etc.
  • Don’t use a common word in a dictionary
  • Always use a mix of upper and lower case
  • Always have at least one number
  • Always have at least one special character
  • Use passwords longer than the normal 5 or 6 characters; I suggest 8 or 9 characters or more.

I know that list seems impossible, but it really isn’t too hard to follow. I have a Sys Admin friend who always uses pass phrases (similar to number 5 on the rockyou list above, iloveyou) as his passwords. But he uses mix case (iLoveYou), adds in numbers (1L0v3Y0u), and special characters, so in the end “iloveyou” becomes “1L0>3Y0u!” or something similar. And honestly he would never use a passphrase as simple (or as clean) as i love you.

So, go fix your passwords! At least on your email and banking sites. And remember – 1L0>3Y0u!

And turn on two-factor authentication! Most popular sites have a two factor option now.

Apple’s Two-factor Authentication (which replaced Apple’s old Two-Step Verification, which was basically the same thing pre-iOS 9), go to the My Apple ID page and sign in. Look for Security > Two-Factor Authentication and click “Get Started…”

Google calls its system 2-Step Verification.

Facebook has two factor authentication, but they call it Login Approvals, access it by going to Settings > Security. Click “Edit” next to Login Approvals and “Enable” on the top right.

And Google has a nice checklist you should know about:

The Keeper Security blog post:


Passwords – Did Gawker do us a favor?

I wrote a posted on how to create strong passwords at the beginning of the year:

The Quandary of Passwords, part 1 – It’s not hard to have a good secure password!

but Gawker getting hacked brings up some interesting points I didn’t cover in detail before.   People may spend the time to create a good strong password, but then they use that one password everywhere! If you trust the all the sites to never get hacked I guess it isn’t a huge deal, but as Gawker proved you can’t believe that!  


If you ever posted on any of their properties (which includes Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot) then your user name, email, and password was posted on the BitTorrent site Pirate Bay.  If you are not sure and want to check if your email and password has been published you can check at  


The Gawker hack shows how important it is not to use passwords over and over.  I mentioned in my password post that, if you have a bad memory like me, by using a simple algorithm you can add something you can remember about the site you are on to a good complex password to make it unique. In this way every site you go to has it’s own unique strong password and it is still pretty easy for you to remember.  For example, look at the complex password I created in my first posting, 1L0>3Y0u!  That is a good easy to remember password (maybe too short though).  So now come up with an algorithm to use with it.  For example say you are on CNet’s site – how about adding the name of the site to the end of the password?  In this example, cnet is the site, so the password becomes 1L0>3Y0u!cnet   Even better if you can handle adding more to the end of the password and throw some more symbols in the middle, for example say 1L0>3Y0u!cnet#1h@t3y0u  Or another example say for the New York Times website becomes 1L0>3Y0u!nyt#1h@t3y0u  See, pretty easy to remember and hard to guess! 


Of course if someone learns your algorithm they will be able to guess your password, so it is not full proof.  But like I said before, depending on the risk of the site, I use different passwords. Maybe it is ok to use the same password for the New York Times site, the Washington Post site, and CNet, right?  What is the real harm that can happen?  For facebook and twitter I am more careful because of the damage that could be done. And for sites like my banking I use a totally unique password with nothing to do with any of my other passwords. 


If you need help for those more secure passwords another suggestion is using mnemonics (like using Roy G. Biv to remember the colors in the rainbow). Using any word from the dictionary as your base for your password isn’t the best practice.  There are a ton of scripts used to hack passwords that start with the words in the dictionary. And my little trick of swapping out numbers and symbols for vowels is pretty well known. That is why my Sys Admin friend uses a pass phrase that he turns into an acronym to create his passwords.  Normally a very dirty mnemonic. The longer the better, but you have to be able to remember it!  I won’t repeat any of his, but for example let’s use the pass phrase “Facebook doesn’t believe in privacy and wants to be the number 1 social networking site in the world” and then turn that into an acronym “FBdbip&wtbt#1snsitw”  Now that is a great strong password for your facebook password!  Think you can remember that?  And like I said, he uses really dirty mnemonics, I have actually heard him chuckle when typing his password.  How often do you get to enjoy a password?


Outside links:
%d bloggers like this: