For years there has been a collective wisdom about creating strong passwords. Briefly:
— don’t use a word found in the dictionary
— don’t use a word found in the dictionary with a “1”or other number after it
— create a password containing eight characters or more
— use a mix of letters, numbers and punctuation
— don’t write your password on a Post-it note and stick it under your keyboard
For user names the big rule is: change any default username or password as soon as you install an operating system or application.
Three people at Microsoft, Francis Allan, Tan Seng and Andrei Saygo, just posted an interesting piece on the company’s Threat Research and Response blog confirming most of the above. They reported what they observed while running a honeypot for almost a year, collecting information from real, in-the-wild, dictionary-based attacks.
Here were the most common user names and passwords used by attackers (in order):
User names:
Administrator
Administrateur
admin
andrew
dave
steve
tsinternetuser
tsinternetusers
paul
adam
Passwords:
password
123456
#!comment:
changeme
F**kyou (they didn’t really use the asterisks)
abc123
peter
Michael
andrew
matthew
They said that one attacker ran more than 400,000 user name and password combinations in one attack.
Blog piece “Do and don’ts for p@$$w0rd$” here.
Some ideas for strong passwords:
— use phrases (i.e. “Ubuntu_is_my_cat”)
— use patterns on the keyboard (i.e. zse45rdx – start with “z” go up and to the right, right one letter then back down). You can write down the first character and remember the pattern, thus, not really breaking the rule about writing passwords on a Post-it note and sticking it under your keyboard.
Tom Kelchner