Back when I worked as a programmer and sysadmin for a nonprofit, myself and other admins would sometimes make new login credentials for members and often the first password was something like “changeme,” and connected to a rule that forced the user to change their password upon sign in. In fact, I had a large table of common English words and bad passwords that were blocked from becoming passwords in that same ruleset (much to the chagrin of many of our users) the very first one in that table was “password.”
Unsurprisingly when SplashData did a weighted study of leaked passwords from high profile hacks in 2012 they discovered that people are still very foolish with their password choices. The top three of the top 25 passwords (unchanged since 2011) are still “password,” “123456,” and “12345678.” Interestingly, people are getting slightly smarter as “password1” appeared on the bottom of the list—also amid the newer bad passwords we also see “welcome, ” “jesus,” “ninja,” and “mustang.”
“At this time of year, people enjoy focusing on scary costumes, movies and decorations, but those who have been through it can tell you how terrifying it is to have your identity stolen because of a hacked password,” said Morgan Slain, SplashData CEO. “We’re hoping that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites.”
SplashData explains that they compiled the report from files taken from million of files, database dumps, and user credential leaks as stolen by hackers during 2012. Many of these have come from Anonymous hacks and random mayhem where sites such as Yahoo, LinkedIn, eHarmony, and Last.fm.
These are extremely popular websites with millions of users offer up an excellent fodder for looking at how people use and choose passwords. And although it seemed for a while that people were starting to slowly move toward better passwords, too many are still stuck in the dark ages of “password” (or its slightly more sophisticated younger sister “password1.”)
How can people make their passwords a little stronger?
There’s a great deal of advice out there about how to make passwords stronger. Amid them, adding capital letters, numbers, and odd character is a strong component, as is lengthening the number of characters. As in all password choices, for most people it’s a trade off between convenience and security—after all, you could have a super-strong password that’s 32 characters long, looks like a random string of gobledegook, but is nearly impossible to recall.
If people did double the length of their passwords, even if they’re using English words, they might at least reduce the likelihood that they’ll end up using the same password as other people is reduced. I’ve spoken about this before when the passwords from a LulzSec dump were examined.
The simple step of adding an extra word increases complexity nicely—although truthfully it’s important to escape from English words, and someone who just uses “password1password” is still in trouble.
The second most important thing is to always use different passwords across different websites. Never use the same password at two sites, especially where one site has less security than another; if one site gets hacked and the credentials stolen, the hackers will most likely shop the credentials around. People who use the same password elsewhere are wide open to getting hacked further.