Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Blogs

War on Error

John E. Dunn

Stupid passwords are security's silent rebellion

Article comments

The 'bad' password is a rebellion against the idea of passwords

Passwords might be lousy, but they're also cheap

If you assumed the old-fashioned ‘000000’ represented the nadir of bad passwords, think again. According SplashData, zero (repeated six times) only just scrapes on its list of the worst passwords of 2013 in 25th place.

The days are long gone when just repeating the same character represented state of the art. These days ‘123456’ is the new king, ahead of the previous laconic league topper, ‘password’.

The firm assembled its list using public breaches of password lists from 2013 (thanks Adobe), a plausible if unscientific attempt to describe the troubled relationship between computer users and the hated login screen. Other biggies on the list included simply extending 123456 by adding 7, 8 or 9, or simply adopting product names with a simple number sequence.

They call route one password hacking a ‘brute force’ attack but nothing brutal would be required to beat this stuff; a simple guess would suffice. Worse, lists like this give us an insight into the database lookups used by criminals trying their luck against encrypted password stores. That’s the other thing about daft passwords: the fact that they might be stored in an encrypted state is a security mirage if they are so simple that a lookup can beat them.

If anyone ever writes a history of bad passwords chapter one will list the flawed assumptions that have fed this downfall:

1.    Default passwords could be repeated characters because users would change them. They didn’t.

2.    When users are given the chance to set their own password, they will choose reasonably complex ones. They rarely did.

3.    It doesn’t matter anyway because attackers have no way to assault multiple accounts at one time without physical access. Wrong again.

The moment for reform came with the spread of the LAN and the Internet but IT departments and technology vendors stuck to old ways. Passwords couldn’t be complex, they said, because when users forgot them it made the IT team or vendor support staff’s life difficult. If they were made complex, users would see this as a pain in the ass and rebel by deliberately using simple ones to save time.

But the deeper problem with passwords is that users have always been at war with them, passing the login screen as they would try to slip past a club bouncer. Nobody likes them, many don't sincerely think they need them. Culturally, passwords have always been a sequence of key-presses kepping you from the stuff that matters. This is problem with security; it doesn't help you do things so much as stop you doing things. So, yes, the 123456 might stem from laziness but also a bit of rebellion.

Despite a glut of replacement technologies and concepts, passwords are not going to disappear any time soon, which sounds paradoxical.  The simple explanation for this is that passwords are weak but also cheap. Until the world breaks free of this complacent piece of accountancy, we’re stuck with them and have to make the best of it.

Come 2014, 2015 or 2016, don't bet against the two worst passwords still being '123456’ or ‘password’.


Share:

More from Techworld

More relevant IT news

Comments

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *