Saturday, February 9, 2013

Ineffective password policies

Here are some examples of password policies that are either too restrictive or too weak to be effective.

Here is a very weak password policy from

What makes this weak, is the required length is too short and the exclusion of any special characters.  The only way to make this password less crackable is sheer length.  Unfortunately, the most probable scenario will be that people will use one of the most common passwords(abc123, trustno1, etc.)

I find it comical that the above password policy is just forcing users to add a numeral to the #1 common password!  So the number one is 'password' and because of the crack team of security experts out there forcing people to use 'At least one number' the latest addition to the top 25 list is 'password1'  Brilliant!

And then there is CareerBuilder, with the requirements of 8-15 characters, and 3 of the following 4: upper, lower, numeric and symbol.  Which can be met with 'Password1'.  I expect that to make the list next year.

Splash Data's Top 25 list  (

Here is the 2012 list:

  1. password (unchanged)
  2. 123456 (unchanged)
  3. 12345678 (unchanged)
  4. abc123 (up 1)
  5. qwerty (down 1)
  6. monkey (unchanged)
  7. letmein (up 1)
  8. dragon (up 2)
  9. 111111 (up 3)
  10. baseball (up 1)
  11. iloveyou (up 2)
  12. trustno1 (down 3)
  13. 1234567 (down 6)
  14. sunshine (up 1)
  15. master (down 1)
  16. 123123 (up 4)
  17. welcome (new)
  18. shadow (up 1)
  19. ashley (down 3)
  20. football (up 5)
  21. Jesus (new)
  22. michael (up 2)
  23. ninja (new)
  24. mustang (new)
  25. password1 (new)

LinkedIn Summary - 3rd person

Don't write your LinkedIn summary in the 3rd person.  Just don't do it.  At best it reads like you are too busy to write one yourself and had your assistant do it, and at worst it just makes you sound like a pompous jackass.

You could go the over-the-top route and just write a bombastic self-deprecating 3rd person summary, but in my opinion they are very hard to pull off.  When Sam Zell was bringing in his management team at Tribune, several had these type announcements, or 'press releases' I think is what they called them.  The first time you saw it, you were amused.  By the third one, it just felt like a two paragraph dick joke.  But a lot of those guys were shock jocks, so it made sense for them I guess.   I advise against it.

Further reading:

7 Reasons to Put Your LinkedIn Profile in 1st Person And Not 3rd Person

Executives: Don’t Make These 4 LinkedIn Mistakes