If Your Password Is 123456, Just Make It HackMe:
Back at the dawn of the Web, the most popular account password was "12345."
Today, it's one digit longer but hardly safer: "123456."
Despite all the reports of Internet security breaches over the years, including the recent attacks on Google's e-mail service, many people have reacted to the break-ins with a shrug.
According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like "abc123," "iloveyou" or even "password" to protect their data.
...
Imperva found that nearly 1 percent of the 32 million people it studied had used "123456" as a password. The second-most-popular password was "12345." Others in the top 20 included "qwerty," "abc123" and "princess."
More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.
Many people are assuming that Google's current row with China has more to do with protecting the reputation of its cloud computing services than idealistic motives. But really, the end user is the root of some of the problems of security within the cloud.
- Log in to post comments
"Princess"?
Hmm.. PEBKAC.
If you're coding a web application, it's wise to reject these passwords outright. I also like the weak->strong meters shown next to password fields.
Offering advice on how to choose a good password is also helpful. Best advice I know: memorize a passPHRASE as part of your password. E.g., "That's what your MOM said last night" as a passphrase becomes "TwyMsln" in your password (or go with the 3rd letter of each word to get "aauMisg") and then throw a number and special character in there that you can remember (5^, for example).
5^aauMisg is a pretty good password, and not that much harder to remember than 123456.
Keyboard patterns like qwerty are possible if you are smart about them; i.e., use the shift key, jump around, and make it long. "2w)OdfJHerIU" is a keyboard pattern password that's pretty solid.
That's amazing! I've got the same combination on my luggage!
Frustrating, yes, but nothing new. In "Surely You're Joking, Mr. Feynman", Feynman tells the story of contriving a meeting with the official locksmith at Los Alamos, who had managed to open a special safe that a captain had had delivered to store his sensitive documents (the captain was unavailable at the time but the documents were urgently needed). It turned out the locksmith was eager to meet Feynman, who had cultivated a reputation for being a safecracker. The locksmith's secret: those safes came from the factory with one of two default settings, and the second one opened the safe. Feynman subsequently found that about one out of every five combination locks that he tried opened with one of the two default combinations. So the weak password problem has been around for at least 65 years.
Meh. If I'd had a rockyou.com account, the password would have probably been something simple like that - after all, it's RockYou. I don't care if anyone steals my account on that website, and I don't want to use one of my real passwords in case their system architects are morons and something like this happens.
Further, rockyou.com was doing it wrong in the worst way possible. You do not ever store passwords as plain text. You store the result of a cryptographic hashing function applied to the password + some random but constant salt value. That way, even if someone steals your customer records, they can't easily get your user's passwords - which might have been used on a different site.
The italicized words (my italics) are the root of the problem. Memorizing good passwords is hard work, and most people can't be convinced to do it. As Bruce Schneier pointed out over 10 years ago, writing your passwords down should not be viewed as a last resort. Instead, it should be your first resort. Write all your passwords down on a piece of old-fashioned paper. Make a copy. Store the copy in a safe place, where it is unlikely to be affected by common disasters, such as fires, floods, etc. Keep the other on your person, but treat it like your credit card, or your id card - take every reasonable precaution against losing it.
But most importantly - know how to report identity theft. Write down a list of the steps you will need to go through in the event of your password list being lost, or stolen. Do a few dry runs, so that when you need to use it, it is somewhat familiar to you. Keep that list somewhere else (not with the password list, obviously) on your person.
There's always a tradeoff between security and inconvenience: it's easier to walk through an unlocked door, including my own front door while I'm carrying groceries. So it only makes sense to lock a door if you care who comes through it. (You might _close_ a door to keep the wind out, or animals in: the local dog run uses gates that almost any human would find trivial, but the dogs can't open.) And the more passwords I have, the more I have to either remember or store: and pieces of paper can be lost or stolen.
I leave my work computer logged in to the library's website, because the worst any of my coworkers could do is cancel my holds on library books; it's not a real risk. (They could also reserve books I didn't want, which I wouldn't have to borrow, or renew the books I have checked out, which is harmless.) That doesn't mean I'm staying logged in to my personal email, or my pension fund.
Tacroy is absolutely right about hash functions: that was old news in the 1980s. It's not an absolute guarantee--given a system, a hashed password file, and time, brute-force attacks are useful--but it's still worth doing.
At my last job, when the number of passwords I had (and were renewed on different schedules) grew to many to be handled by my inadequate rote memory, I figured out about 11 different passwords as a base stock and wrote a list of clues to them, to help me keep track of which one I was using for each application. I randomly substituted numbers for similar-looking letters to keep it a bit more secure as well (eg. s=5, q=9. The list of clues lived in my diary with whatever application I was using it for written in pencil beside the relevant clue. I used things like my mother's, mother's maiden name + my niece's current age.
If you use 1Password on a Mac it keeps track of all your passwords for you and can generate extremely strong passwords for every site and then access them via a master password on your computer. It also has an iPhone version that syncs with the desktop.
I used to use strong passwords, but only kept a handful I could remember. Now I use different passwords on each site.
Realistically you need something like that if you are going to have sufficient security. Because frankly no one can keep track of numerous complex passwords without creating other security flaws.
"Write all your passwords down on a piece of old-fashioned paper."
I'd be far more concerned about somebody using that piece of paper (which has to be stored near the computer) than about somebody hacking my password. It is much easier for me to use the same password for 135 different web sites than to have different passwords for each, which I then have to write down.
(And yes, I have different passwords for banking websites, but that is the exception, not the rule.)
Of course I use my cat's name as a password! She's called "k7;m2H8l" and I change her name every six weeks.
Here you can find nice method for custom and good paswodrd creation http://www.goodpassword.info/how_to_create_a_password.php
Its not surprising then that so many people keep getting their email accounts hacked into
You can combine one strong password that you remember with different suffixes for different websites and write down those suffixes on a piece of paper.