Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Passwords: To be or knOt2$B3? Take the Quiz!

Passwords

Do you think passwords are still important? Do you ever worry about your passwords? We’ve been kicking around computer and information security for a while now. Why don’t we have a better answer?

Passwords

Do you think passwords are still important? Do you ever worry about your passwords? We’ve been kicking around computer and information security for a while now. Why don’t we have a better answer?

Personally, I have gotten a little tired of password articles and blogs. I started “logging on” in about 1976, and I kind of thought we had said pretty much everything there was to say about passwords by now. Then, I recently spoke with some people born in the 1990s and 2000s, and it seemed like they tried their best to make my brain spring through the top of my skull. From these people in their teens and 20s I heard things like, “I just use the same password for everything,” and “I’m just a student, hackers don’t want my stuff.”

As a professional security geek, my reaction was more or less “you’re kidding, right?” But it should really not be a surprise when we look at some of the recent statistics about password use. This includes analysis of compromised passwords that shows that the most commonly used passwords are things like “123456” and “password”. Or droves of surveys done over the past six or seven years which keep saying that 55-70% of people (depending on the exact survey and year) use the same password across multiple accounts. Or similar studies that say 70-80% of passwords being used online are classified as “weak”, which often means a password that is less than eight lower-case characters, or are simple dictionary words like “iloveyou”, “monkey”, “dragon”, or “ninja”.

We all know passwords are not a great solution for securing our accounts and information. But, it is what we have right now, so we might as well make the best of them, eh?

Curious on how strong your passwords are? For some empirical checking, you might try one of these sites (in general, of course, I will advise against entering your actual password):

http://askthegeek.kennyhart.com/password-meter/

https://howsecureismypassword.net/

Hopefully, using them is an eye opening experience, and not a humbling one. As a point of reference, I tested a password with a construction similar to what I use to log on to my personal machine on these two sites. HowSecureIsMyPassword, says it would take 71 quadrillion years for a desktop PC to crack the password, and askthegeek shows it as “Very Strong” with a score of 100%. But those measure the technical part of the password.

Advertisement. Scroll to continue reading.

Considering all of this input, I thought it was time for a 90 second quiz (probably less than that, so relax). Unfortunately, this is a text-based article so I cannot use a quiz tool that will accumulate your score for you, but, trust me, the scoring is really straight forward (You will know immediately if it goes south on you). The only real catch is that the quiz (and scoring) is not based on some password standard, but is based on my own personal criteria. I will assert that over 38 years of computer use, and 29 years of experience in the security world gives me that right.

Points

Question

_____

+1 – If your passwords are at least eight characters.

_____

+5 – If your passwords are at least 10 characters.

_____

+1 – If you use both lower-case and upper-case in your passwords.

_____

+2 – If you include numbers in your passwords.

_____

+3 – If you include special characters (like !@#$%*) in your passwords.

_____

+1 – If you ever change your passwords.

_____

+3 – If you change your important passwords at least annually (e.g., bank, credit card).

_____

+6 – If you store passwords in a password vault, or offline.

_____

-1 – If you include any numbers of special characters only at the end of your password.

_____

-3 – If your password mystery relies on substituting numbers for letters (it is simply not that tr1cky or 3L1T3).

_____

-5 – If you include keyboard sequences in your password (like “qwerty” or “mnbvcxz” or “123456789”).

_____

-20 – If you include any form of the word “password” in your password (like “password” or “pwd” or “pass”).

_____

-10 – If you repeat any letter of number more than two times (like “aaaa” or “666”).

_____

-15 – If your password includes any part of your name, username, any month or has anything at all to do with the site associated with the password (like having your Facebook password as “fbletmein” and your email password as “emailletmein”).

_____

-50 – If you use the same password on social media, email and private sites (like shopping and banking sites).

_____

-10 – If you have shared your personal passwords with anyone.

_____

-20 – If you keep passwords in email or in a plain text, unencrypted file.

_____

Total Score

 

Score

Description

Less than -50

Um. I’m not even sure why you pretend you are using passwords.

-50 to 0

Please reconsider your password habits – they are probably giving you a false sense of security.

0 to +15

In general, your password practices are not unreasonable. Check the quiz again to see how much more paranoid you are willing to get.

+15 and up

Greetings fellow paranoid security geek. Nice to know someone takes this seriously.

If you paid any attention to the scoring, you may have noticed a couple things. The positive numbers are all small, and include all of the technical parts of password construction. With a couple small exceptions, the negative numbers are more related to password usage. The technical side is the easy part – make a strong password. If any part of this is hard, it is the usage – use your password(s) wisely. It’s not like, as an industry, we consistently do either part well. But we have to do the two parts together. A strong password, used foolishly, is probably not going to help us much. At the same time, a poor password, used well, will, at best, make us think we are more secure than we really are.

Passwords are not the keys to our systems and information. At least they should not be. The purpose of a password is to help separate the wheat from the chaff, and to slow down attackers. We create good passwords, and then use them wisely for two reasons:

1. To help slow down access to our stuff, not stop it.

2. We don’t have an answer that is better than “passwords,” yet.

 And, one last question for the quiz. If you have ever emailed your password to anyone you get to subtract another 200 points from your score.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...