top of page

Are you (and your passwords) strong enough?

Originally posted on January 18, 2012:

— To preface, this content is based on an internal security awareness article I wrote, which was in turn based on a blog entry by Troy Hunt.  I want to make sure credit is given where it is due…

If you have turned on a television or read a newspaper or looked at any online blogs in the last few months, then you know that there are lots of bad guys and gals in the world today trying to steal your personal and professional information.  These attacks are persistent, aggressive, and affect all of us each and every day.  Let’s look at a few examples:

·         In 2009 alone, financial institutions reissued 72.2 million credit and debit cards due to breaches in their data environments.  Of those affected, 20% had more than one card replaced. –Javelin Strategy & Research

·         In December 2009, Chinese hackers initiated a 2-day attack on Google’s central password repository and other key systems, resulting in an interruption of services to Google users worldwide.  Though no passwords were believed to be compromised, the attack forced a significant redesign and strengthening of Google’s entire data infrastructure. – The New York Times

·         In April 2011, the Sony PlayStation Network experienced a cyber-attack resulting in the compromise and theft of 77 million customer records.  Records taken in this attack included customer names, addresses, emails, birthdays, usernames, passwords, and credit card accounts. – CNET News

I am going to be very blunt.  These examples should scare you.  All of us need to be more diligent in both our personal and professional lives when it comes to protecting information.  The very first line of defense for securing information is a strong password, so let’s begin the conversation there.

There are 4 basic measures that determine the strength of a password: length, variety of characters, randomness, and uniqueness.  Length is obviously how many characters a password has in it, with the standard logic being the longer the password, the better.  Variety of characters refers to the type of characters used in the password, and the options for characters include letters (both uppercase and lowercase), numbers, and special characters (!@#$%^&*?><).  Randomness refers to how common a password is when compared to other passwords in a data environment.  Passwords like “password” or “abc123” or “123456” are very common and tend to show up on every computer system around the world.  Uniqueness of a password refers to the user of the password and how often that user reuses the same password on multiple systems or websites.  Criminals learned a long time ago that once you have a user’s password on one website, then you can probably gain access to other sites and systems with the same information.

The Sony cyber-attack I referenced earlier has provided the security world a unique view into password habits because the attackers posted online much of the information they took, including user and password information.  Blogger and security expert Troy Hunt ( has taken that information and calculated the relative strength of the passwords stolen. According to Troy:

“There are some rather alarming (although not entirely surprising) findings including: 36% of passwords appear in a common password dictionary. 50% of passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of passwords are lowercase alphanumeric of 9 characters or less. 99% of passwords don’t contain a single non-alphanumeric character.”

In other words, even if these accounts had not been stolen during the cyber-attack, most of the users were already at risk due to generally weak passwords. 

The basic rules for a strong password are simple.  Passwords should be at least 8 characters, if not longer.  Passwords should contain both upper and lower case letters, numbers, and special characters.  Unique passwords should be used on as many websites and systems as possible.  If you follow these general rules, then you have taken the first step in securing your personal and professional information.

1 view


bottom of page