Common words for passwords can make them easy pickings for hackers. Photo / 123RF
Auckland, kiwi, summer, surfboard, sheep and Australia have all been put on the password no-no list for those running our biggest city.
Auckland councillors and staff were told not to use them when setting up various online accounts, after IT experts decided the words were too common and risked being easily found by password-guessing tools, according to information released under the Official Information Act.
The move prompted a surprised tweet in June from Puketāpapa Local Board deputy chairwoman Julie Fairey.
"Auckland Council IT has determined we elected members need to have more secure passwords (not a bad thing) and ruled out use of certain 'common' words on their own (and given a list of them).
"This is a shocking insight into my colleagues' thinking," she tweeted with a scream emoji.
Regular evaluation of policies and user guidelines around password security was part of the council's ongoing focus on information security, the council's Democracy Services' privacy and LGOIMA business partner, Saree Biddick, told the Herald on Sunday.
Use of any of the banned words now prompts a security alert, forcing the user to change their password.
Along with words to avoid, elected members and staff were sent a link to a blog by American cybersecurity expert Mike Garcia, who encouraged the use of passphrases — such as a list of objects in a familiar room — in place of passwords.
As for Fairey, she's still smiling about the directive - and her many years of poor password choices.
She thought the prevalence of "Australia" in passwords might be related to many elected members having family living across the Tasman, and that "sheep" may be popular with those from rural wards.
"We have to change our passwords every six to eight weeks, so you do start to be a bit lazy as you run out of dead pets' names. And you think you're being really imaginative to use your kids names and years of birth.
"I've used the names of my kids, but I've only got three so I can't do that anymore."
Top tips for password security
• Don't use a password. Use a passphrase instead. Garcia recommends choosing a handful of normal words or phrases which you can picture in your head, but no one else would ever suspect.
• Bad examples of passphrases include "the names of your four kids" or "the colours of the rainbow". A good example is from his kitchen: blender vent saute pendant red chair - even if someone knew he picked words based on his kitchen they would need to see the kitchen and then determine which of the thousands of nouns and verbs he had picked.
• Lastly, don't rely on passwords alone to protect anything of value. Turn on multi-factor authentication where possible.
- Source: Easy Ways to Build a Better P@$5word by Mike Garcia, National Institute of Standards and Technology