There was an Apple store in Naples so off we went to get their expertise. All they had me do was change my password to my hot mail account. The tech guy there said that should take care of it! He was very certain of that. Just frustrating and annoying reminder that passwords need to be changed once in awhile or more often...I'm still a little leery of whether this is the end of it or not, but I know I will change my passwords more often. Here is some advice on password strength from my brother who got it from the Wiki page on password strength. Kinda long, but VERY good advice....Hope this helps someone to avoid what happened to me and to many others, I'm sure...we'll see you tomorrow with some great gater stories!
Guidelines for strong passwords
Common guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing:
- Password length should be around 12 to 14 characters if permitted, and longer still if possible while remaining memorable
- Use randomly generated passwords where feasible
- Avoid any password based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., dates, ID numbers, ancestors names or dates).
- Include numbers, and symbols in passwords if allowed by the system
- If the system recognizes case as significant, use capital and lower-case letters
- Avoid using the same password for multiple sites or purposes
- If you write your passwords down, keep the list in a safe place, such as a wallet or safe, not attached to a monitor or in an unlocked desk drawer
Double a character consecutively, to discourage shoulder surfing, the technique whereby someone observes the typing over a shoulder. Don't triple a character and don't double more than one character. If the typist is fast, it's hard to see how many times a key was consecutively pressed.
As a user might need access from a phone with a small keyboard, consider which nonalphanumerics appear on all models, if any do.
Individuals and businesses can also choose to use devices or cloud-based applications that generate a one-time password, which are functional for only one session or expire after a limited amount of time. One-time password generator solutions are available using cloud-based services, mobile phone applications, a security token and other methods.
Examples of weak passwords
As with any security measure, passwords vary in effectiveness (i.e., strength); some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation (i.e., letters in the password are substituted by, say, numbers— a common approach) may cost a password cracking device a few more seconds– this adds little strength. The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy:
- Default passwords (as supplied by the system vendor and meant to be changed at installation time): password, default, admin, guest, etc. All are typically very easy to discover.
- Dictionary words: chameleon, RedSox, sandbags, bunnyhop!, IntenseCrabtree, etc., can be automatically tried at very high speeds.
- Words with numbers appended: password1, deer2000, john1234, etc., can be easily tested automatically with little lost time.
- Words with simple obfuscation: p@ssw0rd, l33th4x0r, g0ldf1sh, etc., can be easily tested automatically with little additional effort.
- Doubled words: crabcrab, stopstop, treetree, passpass, etc., can be easily tested automatically.
- Common sequences from a keyboard row: qwerty, 12345, asdfgh, fred, etc., can be easily tested automatically.
- Numeric sequences based on well known numbers such as 911 (9-1-1, 9/11), 314159... (pi), or 27182... (e), etc., can easily be tested automatically.
- Identifiers: jsmith123, 1/1/1970, 555–1234, "your username", etc., can easily be tested automatically.
- Anything personally related to an individual: license plate number, Social Security number, current or past telephone number, student ID, address, birthday, sports team, relative's or pet's names/nicknames/birthdays/initials, etc., can easily be tested automatically after a simple investigation of person's details.