10 myths about Windows passwords

Mon Feb 25, 2008 2:23PM EST

See Comments (124)

When I first clicked on this article, I expected to see yet another diatribe telling you to use numbers, mixed-case letters, and special characters when you created a password. Boy was I wrong.

Get past some of the geeky language and you'll find a truly eye-opening story about the security of passwords in Windows.

Some key points from the piece (at least, points that challenge the conventional wisdom of password security):


  • Random passwords aren't necessarily more secure. Strings of garbage like Gh&739(*j are hard to remember, easy to mistype, and can be vulnerable to password crackers, especially if they are short.

  • The most secure passwords are 15 characters or longer.

  • Replacing an "o" with a "0" does nothing for security. Do you really think a hacker can't figure out to try d0g instead of dog? Adding a few digits to a cracking program is no big deal.

  • Realistically, changing your password every four months is good enough.

  • Documenting your password is not necessarily a bad thing. If a password is written down and stored securely (say, in a safe), this can be useful if an employee quits, for example. Many people store their passwords in a safe deposit box in the event of emergencies, so spouses or children can get access to bank accounts and the like.

Surprisingly, Mark Burnett's piece dates back to 2002, but the lessons are still relevant today. Give it a spin. Maybe consider changing your passwords this weekend.

Comments on 10 myths about Windows passwords

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 46 Posted by dairyboy3065 on Thu Sep 3, 2009 3:34PM EDT Report Abuse

    If this true i should change my password quickly. I have bin stupid enough to make my password my name. But I could not have not thought of any.But even though they do get in to my files it would not be so much of a harm.

  • 47 Posted by sassygal695 on Thu Sep 3, 2009 9:06PM EDT Report Abuse

    No one is here to blame our careless mistakes. We learn from them.. it really doesnt matter if we make our passcodes hard or easy.. Hackers who are careless will find out the consequences. Thanks for the helpful information. sassygal695@yahoo.com

  • 48 Posted by mr_vikram_sareen on Thu Sep 3, 2009 7:28PM EDT Report Abuse

    very true..... passwords are guessable and can be cracked. a good way to prtect is to deploy One time passwords also commonly known as OTP devices. A good example of OTP devices is online banking where few banks are giving away hard tokens thta generate One time single user passwords. but again it is costly option to give to users. Google and yahoo will never do that right? but a good option is SOFT tokens (make ur phone as OTP generator) or ur computer as OTP generator. Then it is a good cost effective solution for GOOGLE or YAHOO or any exnterprise and infact banks themselves . But again OTP are also not completely secure. Hackers can attack as man-in-the-middle faking to be GOOGLE or YAHOO. So called phishing attacks are also a part of it...... :) at the end, security is as strong as weakest link....

  • 49 Posted by buckeye_brat_bsn on Thu Sep 3, 2009 3:15PM EDT Report Abuse

    Its disgusting that hackers have to do things like this to some of us(happened to me on yahoo few yrs ago but its fine now.) Most of us didnt know the mistakes we were making, let alone how the hackers do it, so thanks it helped me think of new psswrds!

  • 50 Posted by hbabisch on Thu Sep 3, 2009 4:17PM EDT Report Abuse

    I must have at least 50 passwords and logins. It's not practical to cahngbe them every 4 months let alone ever. What would be more useful would be a review of the password saving and generating programs. If a hacker can get into large multi-billion dollar company systems then what makes anyone think they couldn't break their's every with 25 characters!!!! Harvey

  • 51 Posted by mrfixnit999 on Thu Sep 3, 2009 7:27PM EDT Report Abuse

    10 minutes in a Cisco class, and/or A MCSE certification class would give you the exact details as to why your password, no matter what it is, can be hacked. Packet sniffers, virii, and malware nail the weaknesses in the OS and the networking layer to open your system up to hackers.... YET, there is a table someone produced, that would show you a password with 12 characters with various upper ascii characters (like $%&*#(@)(!) adds to the time it takes to hack an account the old fashioned way.... Since 1982 there has been software which hacks passwords the old fashioned way.... AA, AB, AC, AD, AE, AF.... AAA, AAB, AAC.... etc... Today, with a packet sniffer, a wireless sniffer, you are opened up to a new can of worms. Be sure to lock down your wireless routers, (WEP, etc...) Keep your OS clean, and use passwords with special characters, CAPITALS, and @(#*$ Special Upper Ascii characters in them.... Sould help battle the onslaught.

  • 52 Posted by a_petrusa on Thu Sep 3, 2009 3:00PM EDT Report Abuse

    Ha ha... U all say it's a good article, but the simplest thing to stop a hacker is to use spces in your password. It is easier for anybody to use a phrase (it will also go over the 15 characters "secure" password requiremet according to the article) THAN A STRING OF #$!@%... So, I can guarantee that mixing the two (phrase and strange characters) will make your password unbreakable. But you need to use either Win2k or XP to be able to use it. As for older versions, if you use the "Client for Microsoft Networks" authentication mode, it is way harder to crack a password than to hit the ESC key to logon as a new user. Just my 5 cents...

  • 53 Posted by hbabisch on Thu Sep 3, 2009 4:17PM EDT Report Abuse

    If you changed passwords and logins every 4 months would you remember to store them in a safe deposit box. This article makes little sense and has little value.

  • 54 Posted by pugly1 on Thu Sep 3, 2009 8:22PM EDT Report Abuse

    maybe we ought to ensure that the hackers that are caught are severely punished and fined instead of employing them in high paying jobs to teach our security analysts how to avoid hackers. you won't stop them by giving them incentives! let them teach from prison, after all, it is theft and should not an be admired or respected skill!

  • 55 Posted by mark_cole_03102 on Thu Sep 3, 2009 7:08PM EDT Report Abuse

    Bombs49 I agree that most users do not have suffucient passwords set, but to say thanks to the hacks out there is ludicrous. I for one have to jump thru hoops to protect our corporate environment from these @#$%s. I'd like to meet a hack just once and he wouldnt hack again.

  • 56 Posted by pcsurgeonguy on Thu Sep 3, 2009 8:04PM EDT Report Abuse

    What peple do not know is that if they forget the password to log into windows XP there is a way around it start windows in safe mode. log in as Adinistrator. The remove the password in User Accounts in the control panel.

  • 58 Posted by no9z on Thu Sep 3, 2009 7:40PM EDT Report Abuse

    The headline of this article refers to 10 myths. I barely count 5

  • 59 Posted by sofjanmustopoh on Thu Sep 3, 2009 9:31PM EDT Report Abuse

    Use a favorite song or a favorite sentences or phrase and use the first letter of the word combine with special character and or numeric to make a long and harder to crack password. e.i On friday I like to go clubbing drinking vodka and water dancing and go home at 3:00 password = ofIltgcdvaH2Oagh@3 Use term like money as $, fence as #, at as @, & to replace "and" , as going out ,

  • 60 Posted by zakum325 on Thu Sep 3, 2009 10:59PM EDT Report Abuse

    most password requirements are only 12 characters. Also another way people get hacked is by phishing websites. They keylog the computer or whatever it does. It basically knows what everyone types e.g. your password.

  • 61 Posted by coolfart@ameritech.net on Thu Sep 3, 2009 3:29PM EDT Report Abuse

    to bombs49 you paid a few thousnd for your comp. so now you pay a few hunddred for your home security they crack your home security and take your favorite guns,porno,and your kids pics. and you now want to put them in jail for the rest of their lives?to me your comp. is YOURS they should go to jail also.they got in your panties you did not invite them in!

  • 62 Posted by tomaszradzikowski on Thu Sep 3, 2009 10:15PM EDT Report Abuse

    I reason from a different perspective: conditional/probabilistic. What are the incentives to pick me as a target; what are the odds of being cracked? We live in an almost alarmingly fearful society; fear = a big business, and potentially more harmful than the hackers, in this instance. My tip: use foreign nonsense words. At least I can make the demands on their skill that may see them abandon their effort.

  • 63 Posted by justmeyousee2003 on Thu Sep 3, 2009 4:45PM EDT Report Abuse

    Thank you for cutting this down to useful info, and leaving out the bullsh@t.

  • 64 Posted by rtkillen on Thu Sep 3, 2009 8:55PM EDT Report Abuse

    I just read this article and all that I have to say is that passwords, like locks only keep honest people honest. If some one wants in to your computer then a password is not going to stop them. I have taken my computer in for service before and forgotten my Windos password. The copmputer place had no trouble bypassing the password and resetting it. I later asked them if a password was even worth having. They said "No." They said that the only password that will keep people out of your computer is a "Power On" password. It is a password that you have to put in before any programs start, and if it is the wrong password them the computer shuts off. The only drawback to a "Power On" password is that if you forget it you have to buy a whole new computer because the the lockout is imbedded in the bios program and can not be bypassed. Hope this helps. Robert

  • 65 Posted by rtkillen on Thu Sep 3, 2009 8:55PM EDT Report Abuse

    I just read this article and all that I have to say is that passwords, like locks only keep honest people honest. If some one wants in to your computer then a password is not going to stop them. I have taken my computer in for service before and forgotten my Windos password. The copmputer place had no trouble bypassing the password and resetting it. I later asked them if a password was even worth having. They said "No." They said that the only password that will keep people out of your computer is a "Power On" password. It is a password that you have to put in before any programs start, and if it is the wrong password them the computer shuts off. The only drawback to a "Power On" password is that if you forget it you have to buy a whole new computer because the the lockout is imbedded in the bios program and can not be bypassed. Hope this helps. Robert

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.