James Prempeh, Graduate Student

A (recent) report released by database security vendor Imperva Inc. shows that most users still don’t care about the strength of their passwords if they are left to choose them on their own. This situation may be due, in part, to the increasing challenges associated with maintaining strong passwords across the many web services we use now. However, adopting some simple strategies may go a long way towards addressing such challenges.

Imperva’s report is based on an analysis of 32 million passwords that were exposed in a recent database intrusion at RockYou Inc., a developer of several popular Facebook applications. According to Imperva, the most common password among RockYou users was “123456,” followed by “12345” and “123456789.” The other passwords rounding out the top five were “password” and “iloveyou.” On average, a malicious attacker using a password dictionary would have been able to break into a RockYou account at the rate of roughly one every second using an automated password-guessing tool,” said Amichai Shulman, chief technology officer at Imperva.

Another problem involves password reuse. Many people use the same password (or a mix of 2 or 3) for logging into many different systems. If just one service gets compromised (or isn’t trustworthy to begin with), all the passwords entered into that system can be used to access bank accounts, credit card information, or PC’s, for instance.

How do you maintain good passwords across all the services you use while keeping your sanity? First, you need a strong password. A strong password ideally contains a mix of upper- and lowercase letters, along with numbers and symbols (like @). Length is also an asset; passwords of eight or more characters are recommended, if possible. These characteristics make it harder for someone — or someone’s password cracking program — to discover your password.

To create such a password that is easy to remember, you can consider abbreviating entire sentences or phrases into passwords by using, say, the first letter of each word in the sentence and mixing in memorable numbers and symbols between words.

If you’ve thought of some passwords and want to see how strong they may be, you can try them out free in Microsoft’s Password Checker page. Also, when you changes your MUnet password for Miami’s web services, including myMiami, the MUnet password utility will also help you determine how strong your new password choice is.

If you find yourself struggling to keep up with all the long, frequently changing passwords you use, a password manager program can help you manage all your passwords. However, using a password manager means having a single point of failure for your computer security. If someone were to break into your password manager, you are toast.

A better solution may be to use a password scheme. A good password scheme could incorporate three elements: A strong base password that is meaningful to you (you never change this unless it is compromised); the name of the site or organization you’re signing up with; and a date component, such as the current month and year (useful if you need to keep changing passwords). For example, you might take the name of the site, drop everything but the first six characters to the left of the “dot”, reverse the first three letters, add the base password, and add the current date month and year separated by the special symbol.

By this formula, if your base password is 987!aBc, a new password for yahoo.com in March 20011 would be hayoo987!aBc03$11. You can adjust the scheme to work with site or organization names that have fewer than six letters, or if the resulting password is too long.

Make up your own formula, don’t share it with anyone, and you’ll have a unique, virtually impossible-to-guess password for every one of your accounts and sites without having to write anything down. The formula could be cracked, of course, but a hacker would need to get his hands on at least a few of your different passwords to figure it out.