Earlier this month, Microsoft announced that more than 10,000 Hotmail email accounts had been compromised, and their passwords posted to underground hacking websites. An analysis of the posted account information revealed that the majority of the affected accounts used weak passwords which could be easily guessed. The most popular password was 123456 (with 123456789 a close second).
As we reported in the spring, weak passwords are commonplace in cyberspace. A 2007 list of the most frequently-used online passwords included 123456 as well as perennial favorites password, qwerty, and abc123. But the Hotmail story underscores the dangers of ignoring online security. As a result, many websites are getting tough on wimpy passwords, and requiring users to create strong passwords (a combination of letters, numbers, and symbols) which are harder for hackers to decipher.
One such site is Westlaw, which will begin encouraging the creation of OnePass usernames and passwords in November 2009. By January 2010, all Westlaw users will be required to access the system with a OnePass username and password. The alphanumeric code will serve as a registration code only; it will no longer be available as an alternative login method. Watch Westlaw.com for messages about the upcoming change.
Need help thinking up stronger passwords for Westlaw (or anywhere else)? Review the Duke Office of Information Technology’s Password Security FAQ. OIT has compiled helpful advice for choosing a good password and avoiding weak ones. (To OIT’s tips, the Goodson Blogson would like to add that savvy Internet users should perhaps avoid posting a sticky note filled with those super-strong passwords on the side of their monitors.)
Sunday, October 25, 2009
Subscribe to:
Post Comments (Atom)
Posts
2 comments:
While I agree that truly stupid passwords ought to be avoided, I also am concerned we might see more websites restricting users' abilities to choose passwords they are used to or prefer. Granted, it's nothing compared to what passwords for military folks have to be, and most sites aren't as specific about passwords as my old bank, which required the use of some odd combination of upper- and lowercase letters and numbers and a certain password length. Still, part of me is hoping 6 digit numeric passwords won't become a thing of the past anytime soon! Rather, it would be great if more people like yourself spread the word to the general public NOT to choose extremely generic passwords.
Simon, you raise a good point-- library staff deal with a mix of self-selected and automatically-generated passwords to various accounts and databases, and it's definitely easier to remember the uniquely-chosen passwords than the super-strong randomly-generated ones. So perhaps user education really is the key. The OIT link has some great tips for making self-selected passwords more secure, like transliterating sentences with a mix of upper- and lower-case letters with punctuation (e.g. "Chicago is my kind of town" becomes the very secure password "CimYKot!", and easier to remember with the sentence as a prompt).
Post a Comment