I’ve written here several times before about how unsatisfactory passwords are as the security mechanism in the era of the Internet. Back in the days when most computers didn’t have remote access, and those that did could only be accessed with a 300 baud modem over a dial-up connection, passwords were a reasonable security technology. The system could hang up the phone after a few incorrect passwords, making an attack by a “dictionary” or other search impractical.
Of course, even then, the system’s users had to expend a little effort to help protect themselves, by not choosing obvious, easy-to-guess passwords, like their spouse’s name or their birth date. I’ve written before about the role of “social engineering” in helping attackers to guess passwords, something that has been going on at least since the physicist Richard Feynman (“Feynman the Genius Safecracker”) worked at the Manhattan Project.
Recently. as related in an article at Ars Technica¸ a successful attacker against the RockYou Web site managed to obtain a fie containing 32 million user passwords for that site. RockYou seems to have had a fairly easy-going attitude toward security; the passwords were stored in plain text in a database that was hacked using an SQL injection attack. The password list was briefly posted on the Internet, and it has been analyzed by iMPERVA, a security firm. It is rare that anyone gets the opportunity to examine such a large sample of actual passwords — the ones that people actually use, as distinct from the ones they tell their systems administrator that they use. For security folks who have spent many hours exhorting people to choose good passwords, the results of the analysis [PDF] do not make for happy reading.
Here is a list of the ten most common passwords in the sample:
The most popular password, ‘123456’, had been selected by 290,731 users of RockYou. This list does not say much for the security awareness, or for that matter the imagination, of the site’s users. Unfortunately, I suspect that this kind of pattern is all too common.
A New York Times article on this report points out once again that this is not a new development:
Overusing simple passwords is not a new phenomenon. A similar survey examined computer passwords used in the mid-1990s and found that the most popular ones at that time were “12345,” “abc123” and “password.”
My own experience is that, when there is a legitimate need to get into someone’s computer or account (possibly because the user has forgotten the password), guessing the password is often the quickest way to gain access. (How someone could forget one of these “hit parade” passwords is a question I cannot answer.)
A real difficulty for users is the need for so many passwords: one for each E-mail account, one for each Web site, and so on. There may be people that can remember 50 random character strings, but I am not one of them. The best solution I can suggest has two parts: first, use a program or some other means to select long strings of random characters (12 or mote); and second, record them either on a piece of paper kept in your wallet, or in an encrypted file. Bruce Schneier wrote a small application called Password Safe, which is now an open-source project, that will handle both parts of this process for you. I use a Linux version of this program to manage my own passwords, and it makes life a lot easier, as well as more secure.
This really isn’t surprising. We’d all be amazed how much this wouldn’t happen if people took the extra .5 seconds to add a number or two to the end of their password. Leave the door open and people will come in. Using passwords like “1234” just isn’t smart.