“Part of the project included setting up about 150 user accounts for the client’s customers to log in to a secure portion of the site and download their reports,” says the consultant.
“Setting up 150 user accounts seemed like a simple enough job, would keep our intern busy and took a task off my plate. I gave him a list of usernames and showed him how to set up accounts on the server.”
In fact, he gives the intern some further guidance. From past experience, he knows that passwords consisting of random letters and numbers make security gurus happy but drive users crazy — either users can’t remember the gibberish passwords or they constantly mistype them.
He explains all this to the intern and instructs him to create passwords that consist of a word from the dictionary, followed by two or three digits.
Next day, the consultant checks with intern to make sure the job is complete. The intern shows him the list of passwords. And sure enough, he’s done exactly what the consultant suggested — with one extra twist.
“Rather than creating passwords like ‘book345’ or ‘house57,’ he instead found a list of the 200 most commonly misspelled words to generate the passwords,” the consultant groans.
“Being under a tight deadline, there was no time to create new passwords and test them. So we launched the Web site and gave the users their passwords. As expected, we fielded numerous support calls from users trying to enter passwords such as ‘accommodate85’ and ‘asphyxiate33.’ ”
- Survey: 60 percent of users use the same password across more than one of their online accounts (zdnet.com)
- Don’t Let Users Reuse Same Password (hackstips.wordpress.com)
- Lost user account and password to laptop (edugeek.net)