Saturday, February 9, 2013

Ineffective password policies

Here are some examples of password policies that are either too restrictive or too weak to be effective.

Here is a very weak password policy from CareerBliss.com:












What makes this weak, is the required length is too short and the exclusion of any special characters.  The only way to make this password less crackable is sheer length.  Unfortunately, the most probable scenario will be that people will use one of the most common passwords(abc123, trustno1, etc.)

I find it comical that the above password policy is just forcing users to add a numeral to the #1 common password!  So the number one is 'password' and because of the crack team of security experts out there forcing people to use 'At least one number' the latest addition to the top 25 list is 'password1'  Brilliant!

And then there is CareerBuilder, with the requirements of 8-15 characters, and 3 of the following 4: upper, lower, numeric and symbol.  Which can be met with 'Password1'.  I expect that to make the list next year.

Splash Data's Top 25 list  (http://splashdata.com/press/PR121023.htm)

Here is the 2012 list:

  1. password (unchanged)
  2. 123456 (unchanged)
  3. 12345678 (unchanged)
  4. abc123 (up 1)
  5. qwerty (down 1)
  6. monkey (unchanged)
  7. letmein (up 1)
  8. dragon (up 2)
  9. 111111 (up 3)
  10. baseball (up 1)
  11. iloveyou (up 2)
  12. trustno1 (down 3)
  13. 1234567 (down 6)
  14. sunshine (up 1)
  15. master (down 1)
  16. 123123 (up 4)
  17. welcome (new)
  18. shadow (up 1)
  19. ashley (down 3)
  20. football (up 5)
  21. Jesus (new)
  22. michael (up 2)
  23. ninja (new)
  24. mustang (new)
  25. password1 (new)

No comments: