Passwords might be lousy, but they're also cheap
If you assumed the old-fashioned ‘000000’ represented the nadir of bad passwords, think again. According SplashData, zero (repeated six times) only just scrapes on its list of the worst passwords of 2013 in 25th place.
The days are long gone when just repeating the same character represented state of the art. These days ‘123456’ is the new king, ahead of the previous laconic league topper, ‘password’.
The firm assembled its list using public breaches of password lists from 2013 (thanks Adobe), a plausible if unscientific attempt to describe the troubled relationship between computer users and the hated login screen. Other biggies on the list included simply extending 123456 by adding 7, 8 or 9, or simply adopting product names with a simple number sequence.
They call route one password hacking a ‘brute force’ attack but nothing brutal would be required to beat this stuff; a simple guess would suffice. Worse, lists like this give us an insight into the database lookups used by criminals trying their luck against encrypted password stores. That’s the other thing about daft passwords: the fact that they might be stored in an encrypted state is a security mirage if they are so simple that a lookup can beat them.
If anyone ever writes a history of bad passwords chapter one will list the flawed assumptions that have fed this downfall:
1. Default passwords could be repeated characters because users would change them. They didn’t.
2. When users are given the chance to set their own password, they will choose reasonably complex ones. They rarely did.
3. It doesn’t matter anyway because attackers have no way to assault multiple accounts at one time without physical access. Wrong again.
The moment for reform came with the spread of the LAN and the Internet but IT departments and technology vendors stuck to old ways. Passwords couldn’t be complex, they said, because when users forgot them it made the IT team or vendor support staff’s life difficult. If they were made complex, users would see this as a pain in the ass and rebel by deliberately using simple ones to save time.
But the deeper problem with passwords is that users have always been at war with them, passing the login screen as they would try to slip past a club bouncer. Nobody likes them, many don't sincerely think they need them. Culturally, passwords have always been a sequence of key-presses kepping you from the stuff that matters. This is problem with security; it doesn't help you do things so much as stop you doing things. So, yes, the 123456 might stem from laziness but also a bit of rebellion.
Despite a glut of replacement technologies and concepts, passwords are not going to disappear any time soon, which sounds paradoxical. The simple explanation for this is that passwords are weak but also cheap. Until the world breaks free of this complacent piece of accountancy, we’re stuck with them and have to make the best of it.
Come 2014, 2015 or 2016, don't bet against the two worst passwords still being '123456’ or ‘password’.