Follow Us

War on Error

Stupid passwords are security's silent rebellion



Passwords might be lousy, but they're also cheap

If you assumed the old-fashioned ‘000000’ represented the nadir of bad passwords, think again. According SplashData, zero (repeated six times) only just scrapes on its list of the worst passwords of 2013 in 25th place.

The days are long gone when just repeating the same character represented state of the art. These days ‘123456’ is the new king, ahead of the previous laconic league topper, ‘password’.

The firm assembled its list using public breaches of password lists from 2013 (thanks Adobe), a plausible if unscientific attempt to describe the troubled relationship between computer users and the hated login screen. Other biggies on the list included simply extending 123456 by adding 7, 8 or 9, or simply adopting product names with a simple number sequence.

They call route one password hacking a ‘brute force’ attack but nothing brutal would be required to beat this stuff; a simple guess would suffice. Worse, lists like this give us an insight into the database lookups used by criminals trying their luck against encrypted password stores. That’s the other thing about daft passwords: the fact that they might be stored in an encrypted state is a security mirage if they are so simple that a lookup can beat them.

If anyone ever writes a history of bad passwords chapter one will list the flawed assumptions that have fed this downfall:

1.    Default passwords could be repeated characters because users would change them. They didn’t.

2.    When users are given the chance to set their own password, they will choose reasonably complex ones. They rarely did.

3.    It doesn’t matter anyway because attackers have no way to assault multiple accounts at one time without physical access. Wrong again.

The moment for reform came with the spread of the LAN and the Internet but IT departments and technology vendors stuck to old ways. Passwords couldn’t be complex, they said, because when users forgot them it made the IT team or vendor support staff’s life difficult. If they were made complex, users would see this as a pain in the ass and rebel by deliberately using simple ones to save time.

But the deeper problem with passwords is that users have always been at war with them, passing the login screen as they would try to slip past a club bouncer. Nobody likes them, many don't sincerely think they need them. Culturally, passwords have always been a sequence of key-presses kepping you from the stuff that matters. This is problem with security; it doesn't help you do things so much as stop you doing things. So, yes, the 123456 might stem from laziness but also a bit of rebellion.

Despite a glut of replacement technologies and concepts, passwords are not going to disappear any time soon, which sounds paradoxical.  The simple explanation for this is that passwords are weak but also cheap. Until the world breaks free of this complacent piece of accountancy, we’re stuck with them and have to make the best of it.

Come 2014, 2015 or 2016, don't bet against the two worst passwords still being '123456’ or ‘password’.

More from Techworld

More relevant IT news

Contact Us

For editorial queries:
Mike Simons Mike_Simons@idg.co.uk

For website issues:
Email webmaster@techworld.com

For commercial queries
Russell Kearney russell_kearney@idg.co.uk


For more contact details click here.


Email this to a friend

* indicates mandatory field





Techworld White Papers

Optimising data protection for virtual environments

VM environments require the same level of data protection as does the physical server environment. Companies may use data protection tools built for the physical environment in the virtual world, but this has serious disadvantages.

Download Whitepaper

PCI Compliance: Are UK businesses ready?

Exploring the results of a recent survey, including: ? Levels of understanding of the standard ? Current perceptions of actual compliance status ? Attitudes toward addressing compliance

Download Whitepaper

Mobility Management for Dummies

Your complete guide to managing and securing mobile devices such as laptops and smartphones.

Download Whitepaper

Magic Quadrant for midrange and high-end NAS solutions

It is difficult to find one midrange or high-end NAS product that can cater to all needs. File systems embedded in NAS are often designed to solve one major pain point, with additional features being added later to broaden use cases and benefits.

Download Whitepaper

Techworld UK - Technology - Business

Oracle Video

Enabling agile and intelligent businesses

 Changing markets, competitive pressures and evolving customer needs are placing increasing pressure on IT to deliver greater flexibility and speed. Explore truly flexible SOA foundations with this Oracle video.

Watch
COLT White Paper

IT Misuse Survey

Complete this survey and you could win a Nexus One

Techworld are running a short survey to discover how UK businesses are managing Internet and email misuse in the Enterprise.

Complete Survey

Complete our survey and you could win a Sony E-book Reader.
Techworld have teamed up with HP to compile a survey relating to server virtualisation. Complete the short survey and you could be the lucky winner of a Sony E-book reader.

Complete the survey here

Site Map

Test