• United States



More Bad News About Passwords

May 24, 20072 mins
Data and Information SecurityIT Leadership

Yet another study confirms what everyone already knows:  users don’t willingly choose secure passwords.  In this most recent study, reported the following as the ten most common passwords:

1.      password2.      1234563.      qwerty4.      abc1235.      letmein6.      monkey7.      myspace18.      password19.      link18210.     (your first name) 

While most of these were familiar to me, I must give credit to the creator of “let me in” – the Fort Knox of passwords. 

Perhaps this most recent demonstration of the inadequacies of passwords should prompt every company to conduct additional training for their personnel or, at minimum, distribute a memo explaining the importance of using more secure passwords and also provide some specific tips to assist personnel in creating better passwords. 

The primary problem presented by requiring secure passwords is that they are generally hard to remember, meaning that if they are used, one of two things will happen:  either the user will write a copy of the password down in an unsecure place or, if they remember the password long enough to log in, they will keep their workstations logged on at all times.

As mentioned above, teaching employees some of the tricks used to create secure passwords is highly recommended (e.g., using a one sentence passphrase as the basis for the password and then using the first letter of each word in the sentence to create the actual password, alternating capitals, alternating a known number sequence with the letters of the password, etc.).  Another approach is institute two factor authentication (e.g., password and USB token).  A third approach is to transition authentication to biometrics.  While biometrics and two factor authentication are certainly gaining ground, it will be a very long time before they achieve general use (at least outside the financial services and healthcare industries).  This means that for the foreseeable future, strong passwords are going to be our frontline of defense for authentication.  It falls on all of us, the security professionals, to continue to make every effort to ensure our personnel are using the strongest passwords possible. 

Just remember, “Klaatu barada nikto,” is mine and no one else can use it.  The first person who can e-mail me the meaning of the foregoing phrase will receive a prize of inestimable value:  a free subscription to my free monthly e-letter “Tech-Law Update.”


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author