Revelations on passwords. Did you get a pass from PCI DSS!

  • Team Omega
  • August 26, 2011

 According to various online sources, the 25 most common passwords divulged from the recent hacking of Sony are as follows:

…seinfeld, password, winner, 123456, purple, sweeps, contest, princess, maggie, 9452, peanut, shadow, ginger, michael, buster, sunshine, tigger, cookie, george, summer, taylor, bosco, abc123, ashley, bailey…

All of the passwords listed above are in “password dictionaries” that are available online. Hopefully this should get you thinking about the password scheme you use for your personal online accounts, and especially for your work related accounts.

Section 8 of PCI DSS stipulates the following requirements for passwords related to the cardholder data environment:

  1. Passwords should not be shared.
  2. Passwords should be changed every 90 days.
  3. New passwords should not be the same as the previous 4 passwords.
  4. Passwords should be 7 characters in length.
  5. Passwords must contain both numeric and alphabetic characters.

For personal online accounts, I certainly adhere to number 1, 4 and 5. Changing work related passwords is quite important. Take a moment to consider the fact that an employee who has been gone for months (or years!) might still be able to access critical business systems. It is a scary thought.

So, take a few minutes today to think about your business password policies and start the process of making them more robust.