Earlier this month, we read an article headlined, “Here is why you need to stop using six-digit passcodes to protect your iPhone“. The article talked to security firm Malwarebytes about a product known as GrayKey (developed by long-time US intelligence agency contractors and an ex-Apple security engineer), which can reportedly crack any iPhone running iOS 10 or 11, using a trial and error method used by application programs, to decode encrypted data such as passwords.
A couple of days earlier, Matthew Green, a teacher of cryptography at Johns Hopkins University in Maryland, tweeted some equally scary statistics:
Which leads us to the question…
How Secure is Your Email Password?
Every year, we find round-up posts of the year’s worst passwords. Last year’s round-up posts included one on CNET entitled, ‘Starwars’ appears on list of worst passwords of 2017, which reported on SplashData’s analysis of 5 million leaked passwords, mainly from North American and Western European users.
Top of the list again?
The most notable newcomer?
Here is SplashData’s full top 25 list worst passwords:
1 – 123456 (ranking unchanged since 2016 list)
2 – password (ranking unchanged)
3 – 12345678 (up 1)
4 – qwerty (up 2)
5 – 12345 (down 2)
6 – 123456789 (new)
7 – letmein (new)
8 – 1234567 (Unchanged)
9 – football (down 4)
10 – iloveyou (new)
11 – admin (up 4)
12 – welcome (unchanged)
13 – monkey (new)
14 – login (down 3)
15 – abc123 (down 1)
16 – starwars (new)
17 – 123123 (new)
18 – dragon (up 1)
19 – passw0rd (down 1)
20 – master (up 1)
21 – hello (new)
22 – freedom (new)
23 – whatever (new)
24 – qazwsx (new)
25 – trustno1 (new)
Choosing a Secure Email Password
Bruce Schneier, the CTO of IBM Resilient and a fellow at Harvard’s Berkman Center says, “The efficiency of password cracking depends on two largely independent things: power and efficiency.
- Power is simply computing power. As computers have become faster, they’re able to test more passwords per second; one program advertises eight million per second. These crackers might run for days, on many machines simultaneously. For a high-profile police case, they might run for months.
- Efficiency is the ability to guess passwords cleverly. It doesn’t make sense to run through every eight-letter combination from “aaaaaaaa” to “zzzzzzzz” in order. That’s 200 billion possible passwords, most of them very unlikely. Password crackers try the most common passwords first.”
atmail’s Email Password Policy Upgrade
Important update: From 1 February 2021 (AEST), atmail’s password policy will be upgraded further.
In the interests of GDPR and your email security, we are further improving atmail’s cloud email password policy. Starting 4 June 2018 (AEST), our minimum requirements for a new secure password will be:
Admin Password Policy: Minimum of 1 upper-case character Minimum of 1 lower-case character Minimum of 1 numeric character Minimum of 1 non-alphanumeric character (For example: !@#$) Minimum length of 10 characters Maximum of 4 identical characters Acceptable: AAAAairB@11! Not Acceptable: AAAAairAB@11!
Cannot be the same as the 3 previous passwords used Password expiry of 150 days Password grace period 28 days
User Password Policy: Minimum of 1 upper-case character Minimum of 1 lower-case character Minimum of 1 numeric character Minimum of 1 non-alphanumeric character (For example: !@#$) Minimum length of 8 characters Maximum of 4 identical characters Acceptable: AAAAairB@11! Not Acceptable: AAAAairAB@11!
Cannot be the same as 3 previous passwords used
Tips for choosing a strong password: Use a phrase rather than one word iLov3FloWers!
Replace alphanumeric characters with non-alphanumeric characters where possible iL0v3FloWer$!
Insert an unpredictable non-alphanumeric character to break a conventional word iL0v3Fl_oWer$!
Read more about choosing a secure password
When will the new password policy take effect? Sunday June 4, 2018, at 12:00 (Australian Eastern Standard Time).
When will I have to change my password after the new policy? Admins will have 150 days to update their passwords before they expire, plus a further grace period of 28 days. Current user passwords will not expire.
What do I need to do as an admin? 1. Update your admin password; and 2. Advise your users to review their current password and refer them to the account settings guide on how to update their password. (Note: You can also update your users’ passwords via the Account Manager section of your admin panel.)
Can I strengthen this password policy further?
Yes, if you are an atmail email admin, you can strengthen this password policy further for your users.
To do so, we invite you to visit:
- Our help page for strengthening user passwords; and/or
- Our help page for strengthening admin passwords.
If you are a current atmail customer and you have a technical support question about passwords, please direct your question to [email protected] or contact us via your atmail portal account.
Written by Dominic Finn and Andrea Martins