Despite the many, many cautionary tales we hear every day of e-mail, social media, and other Internet accounts being compromised, some people still haven't heeded the warnings about using easily-guessed passwords. And it isn't just the non-technical masses that are leaving themselves vulnerable.
I've railed in the past against the risks created, ironically, by companies having password policies that are too aggressive. But on the Internet, it's already been established that nearly any password is vulnerable to cracking, no matter how elaborate.
Websites' poor security often leaves them vulnerable to the bulk theft of password files—or, as in the case of the exposure at the Institute of Electrical and Electronics Engineers' IEEE.org, sometimes passwords are just sitting there on servers unencrypted and waiting to be downloaded. Even when they're encrypted, those password files can easily be cracked (as Dan Goodin reported) with a variety of readily-available "password recovery" tools—and thanks to software that uses the power of beefier graphics processor units and vast lists of previously cracked passwords, it's getting increasingly easier.
Still, it doesn't help the cause very much when users pick passwords that are just begging to be exposed—not through high-horsepower cracking tools, but by flat-out guessing. Breach after breach, security analysts find that many users have used passwords that are vulnerable to even the most casual attempts at breaking—passwords like "password."
For example, an analysis of IEEE's log files found that of the 100,000 users' accounts that were exposed on IEEE.org, about 18,000 used passwords that would have been easy prey for hacking. The most common was "123456," followed closely by "ieee2012" and the ever-popular "12345678." And when hackers cracked the personal email account of the notoriously security-conscious Syrian president Bashar Hafez al-Assad, what did his password turn out to be? It was "12345."
This past week, password management tool developer SplashData published the results of what has become an annual ritual—the quest for the "scariest" passwords. An analysis of millions of stolen login credentials posted by hackers discovered that for the third year in a row, "password" was the most commonly used password, with "123456" and "12345678" still steady in the #2 and #3 positions.
Here's the full list of the top 25 most common passwords for 2012:
| Rank | Password | Change in rank since last year |
|---|---|---|
| 1 | password | Unchanged |
| 2 | 123456 | Unchanged |
| 3 | 12345678 | Unchanged |
| 4 | abc123 | Up 1 |
| 5 | qwerty | Down 1 |
| 6 | monkey | Unchanged |
| 7 | letmein | Up 1 |
| 8 | dragon | Up 2 |
| 9 | 111111 | Up 3 |
| 10 | baseball | Up 1 |
| 11 | iloveyou | Up 2 |
| 12 | trustno1 | Down 3 |
| 13 | 1234567 | Down 6 |
| 14 | sunshine | Up 1 |
| 15 | master | Down 1 |
| 16 | 123123 | Up 4 |
| 17 | welcome | New |
| 18 | shadow | Up 1 |
| 19 | ashley | Down 3 |
| 20 | football | Up 5 |
| 21 | jesus | New |
| 22 | michael | Up 2 |
| 23 | ninja | New |
| 24 | mustang | New |
| 25 | password1 | New |
SplashData's findings are pretty consistent with those of security consultant Mark Burnett, the author of the book Perfect Passwords. Think your password is a special snowflake, unique in the world? Burnett did an analysis of 6 million username and password combinations last year, and found that 91 percent of users had used one of the 1,000 most common passwords—with 99.8 percent using a password from the 10,000 most common. And "password" was the leader of them all, in use by 4.7 percent of user accounts.
Considering how easily those lists are obtained and turned into fodder for even the most simple password cracking schemes, choosing a simple password is like leaving your house's door unlocked. And it gets worse when you re-use passwords across multiple services with the same username—especially if one of them is your email account, or if you've linked accounts together, as Wired's Mat Honan found out when hackers hijacked his Twitter account and remote-wiped his iPhone and Mac.
Only you can stop the madness. Here are some simple things you can to to make your passwords—and your entire digital persona—more secure:
Use multifactor authentication when you can. Google's improved authentication sends you a text message with a code every time you attempt to connect to Gmail or other services with your Google account from a new location, and DropBox and other services have followed suit. Google also generates application-specific passwords for mail clients and other software that connects to your account if it can't do the challenge-and-response type of authentication. If you use services that support this, turn it on.
Never use the same password you use for important accounts on other sites. Your password on secure sites is generally better protected than it is on web forums, blogs, social media, and other Web sites. Less security-focused sites can be vulnerable to attacks that give hackers access to the "hashed" (or even unencrypted) password file on the server, and if they don't use HTTPS to encrypt passwords sent to them, your password could be "sniffed" right off the network when you log in from a public Wi-Fi hub or other open network.
Use randomly-generated passwords. Instead of trying to create an easy-to-remember password for your Internet credentials, use a tool to randomly generate them. Of course, SplashData publishes its "worst password" list in hopes that you'll use their password generator, SplashID Safe. But there are a number of other tools that can generate passwords for you, such as LastPass. Or you can simply use one of the many free random password generators that are out there, and store the credentials in your browser's password manager (and in another, offline location in case your browser burps).
reader comments
88