This past week (as I write this) security researcher Mark Burnett (who literally wrote the book on passwords) released ten million passwords gathered from security breaches. He went one step further and released the account names (without the domain part) of the associated email addresses. That’s a lot of passwords. Here’s why you should care.
First, I hope your email and passwords aren’t on the list. A colleague downloaded the list and checked – mine isn’t. I routinely check PwnedList.com to see if any of my accounts have been compromised so I was fairly certain I was safe. You should probably do that, too. If your password was on the list, or if a site you use has reported a breach you need to change your password now. You also shouldn’t use that password anywhere (using a password in more than one place is bad for this reason).
Second, the list is good at helping us discover common passwords. There are still people using Password1, 123456 and qwerty as passwords. Really. Data from researchers like Burnett help administrators prevent users from using poor passwords. As we discuss in Learning Tree’s System and Network Security Introduction administrators can block users from using particular passwords. As Burnett points out, 30% of users use passwords from the top 10,000. If administrators blocked those passwords, it would of course be less convenient for users, but it might mean more secure systems. Complex passwords are difficult to remember, but as I’ve noted before, there are tools to help with that (generating and storing complex passwords, not remembering them….
Finally, well, it’s quite interesting to see what people pick for passwords. “princess” and “mylittlepony” are sort of predictable, but “iloveyou” does not describe my relationship with any computer I’ve used. “BBROYGBVGW” was popular some years ago, but I haven’t seen it recently. (If you know where it comes from, you can share in the comments below.)
Learning Tree recently began offering 1-Day bootcamps on popular computing topics. I had the pleasure of attending the first one ever. I attended from my desk at work – these are only offered virtually, so people can attend from anywhere. The class was thoroughly enjoyable. It was taught by Adrian Bryan my co-author for the introduction to security course. There are a handful of cyber security boot camps available now, and more likely to come. They are a convenient way to learn about security topics without the whole-week commitment of a regular class. Check them out.
To your safe computing,