SplashData released its list of common passwords in January, and the top is much like last year’s. ‘123456’ and ‘password’ lead the pack again.
There are four interesting issues here:
First, people still choose poor passwords. I guess that’s to be expected. After all, remembering a dozen or more passwords can be difficult. For some people, three passwords are difficult to keep straight. I’ve recommended password managers before. They can also generate better passwords (at least ones more difficult to guess) than those on the SplashData list.
Second, these passwords came from disclosures. That means the bad guys discovered them somehow on real systems. If you were a bad guy and saw this list, wouldn’t you try these passwords on accounts you wanted to compromise? Of course you would! Please, if you are using any password on the SplashData list, change it now. And if you are using the same password on two sites, change each of them to different passwords! This is why there are password managers.
The third issue is that of discovery. How did someone discover those passwords? I suspect the sites hosting those two million passwords didn’t store them in a way that would make them difficult to discover. In Learning Tree’s System and Network Security Introduction we discuss ways to make discovering passwords much more difficult and time-consuming. These are essential measures for site owners to deploy in order to help safeguard user passwords. While users have a duty to use good passwords, site owners also have a duty to protect those passwords.
Finally, passwords need to die a fast death, at least as we know them today. They can be discovered by watching someone enter them (shoulder surfing), sniffing, hacking servers and multiple other ways. They were fine when used in a “good fences make good neighbors” environment, but standalone single passwords are no longer appropriate for most uses. Multi-step authentication such as google authenticator provide a mechanism to add a second value for the password. The app generates numbers to be provided at the login process. The numbers change every 30 seconds. This means that a hacker needs not only a username and password, but also access to the victim’s app. Thus, disclosing the password would not be as dangerous. However, it doesn’t remove the need for choosing good passwords.
If you haven’t already done so, get a good password manager as a New Year’s present to yourself. And turn on the two-step authentication when available.
To your safe computing,