Your password is easy to crack
We all know
cyber-gangs are out there attacking websites, hoping to raid our bank accounts.
Yet a new report says our most common password is still 123456. Is it laziness
that makes us so careless or something else?
Modern life demands of us a seemingly
endless series of trivial choices, not the least of which is the requirement to
make up a password for your hundred-and-somethingth web account. Who can be
bothered to create and memorise yet another twisty bolus of alphanumeric
gibberish? Not many of us, it seems. According to a new report by Splashdata, the
most common password in 2013 was "123456", closely followed by that
faithful old standby, "password", which it is somehow charming to see
still so popularly deployed. Is this sheer laziness, a lack of security
education, or something else?
Some of the other popular
passwords on Splashdata's list (mined mainly from a huge leak of Adobe
customers' details) do begin to paint an intriguing portrait of the collective
digital id. Isn't it heartwarming to see "iloveyou" at No 9? (Unless
people are typing it to themselves, which would imply that extensive use of the
internet
really does turn you into a frothing narcissist.) At No 14 is
"letmein", which one can't help hearing as containing an implied
"goddammit" at the end. (It also reminds us that a
"password" was originally spoken to gain admission to secure parts of
a palace or military installation.) Somewhat surprisingly, No 17 is
"monkey", whether out of general admiration for our simian cousins or
a hitherto unsuspected upsurge in popularity of the seminal 1970s kung-fu show
it is hard to tell.
At 24 on the list, presumably
contributed by a lot of The X-Files fans, is "trustno1". But this
seems a bit contradictory. If you really were a paranoid sci-fi enthusiast who
believed that the government was run by aliens, wouldn't you choose a stronger
password? On the other hand, if it is government snooping in particular that
you care about, you will suspect that passwords are irrelevant, since we now
know the NSA and GCHQ can hack into just
about anything.
But spies aren't the only ones
looking; there are also cyber-gangs mounting sophisticated attacks on websites
in order to hoover up ID details, credit-card information, and so on. Why make
it easy for them? Tom Stafford, lecturer in psychology and
cognitive science at the University of Sheffield, says: "Most people seem
to believe there is little risk in having weak passwords – most of us seem to
rely on 'security by obscurity'. Obviously this isn't a wise choice as more and
more of our lives are online."
It has long been known, moreover,
that even when people are encouraged to choose a password stronger than
"123456" or "admin", they tend to fall into predictable
patterns. According to a 2006 study by Shannon Riley of
the psychology of password generation, "users typically use birthdates,
anniversary dates, telephone numbers, licence plate numbers, social security
numbers, street addresses, apartment numbers, etc. Likewise, personally
meaningful words are typically derived from predictable areas and interests in
the person's life and could be guessed through basic knowledge of his or her
interests." Hence all the TV detectives who guess brilliantly that the
suspect's laptop password is the name of her dog.
We should hesitate to interpret
these findings as showing that ordinary internet users are just stupid,
however. The firm that compiled this list, Splashdata, sells
password-management software, so it is understandable that the lesson it
derives from its findings is that people should choose stronger passwords,
perhaps with the benign help of its own products. So why don't they?
One reason might be that, since
we all think that some of our accounts (for example, banking, Facebook) are
more important than others (a Tumblr that sends you a picture of a kitten every
morning), we believe it doesn't matter if we use weak passwords for the latter.
But this is risky since it means those services become a big target for
hackers, as Adobe's did. Indeed, the rise
of two-factor authentication – where you need both a password and a unique code
generated by your smartphone to log in – is beginning to ease the password problem
for services people really care about, such as email or Dropbox. So it is those
"disposable" accounts that are really the dangerous ones. This is all
the more galling when one considers that, according to a 2010 study by Joseph Bonneau and Sören
Preibusch, many websites use passwords "primarily for
psychological reasons, both as a justification for collecting marketing data,
and as a way to build trusted relationships with customers" – in other
words, the password demand is a commercially motivated placebo to begin with.
The second reason people might be
driven to choose such weak passwords when they can get away with it is because
technology's way of attempting to save us from ourselves is so irritating. You
know the drill on some websites: your password must be between eight and 12
characters long, and contain a mixture of upper-case and lower-case letters, as
well as numbers, punctuation marks, currency symbols, sad-faced emoji and the
Chinese characters for "For heaven's sake, will this do?". It is
unlikely you will remember one of those, let alone dozens.
Stafford says: "For me,
passwords are a great example of how technology asks us to be more like
computers rather than computers learning to be more like us. Recommended
passwords are strings of arbitrary letters, numbers and strings – exactly the
thing it is easy for computers to store, and difficult for humans. It's the reserve
of the early dreams of artificial intelligence, asking our intelligence to be
more like the artificial."
As it happens, it is also simply
bad security. In point of mathematical fact, a picturesque phrase such as
"lemon Beyoncé anvil cake" is far more difficult to crack than
"j&!Wo078:(((", because every extra character of password length
expands the combinatorial possibilities in dizzying fashion. This is well known
to fans of the web-comic XKCD, which has explained why a brute-force
attempt to hack the password "correct horse battery staple" would
take a fast computer 550 years. (The geek joke is that, since that cartoon
appeared, everyone's password is now "correct horse battery staple".)
The wholesale replacement of text
passwords by reliable biometrics (such as fingerprint scanners) is one of those
technological promises that has been around for decades and still has not come
to fruition, despite the fingerprint sensor on the new iPhone. In the meantime,
I like to think of the millions of people choosing "password" for
their password as a kind of silent dissident movement, a virtual groundswell of
sardonic protest at the manifold laborious annoyances of digital existence.
If you doubt that a simple
password can be sarcastic, consider number 25 on the most-popular list,
"000000", which has a curious historical analogue. In the late 1970s,
according to Eric Schlosser's recent book about nuclear security, Command and Control, it was
decided that the US air force's Minuteman nuclear missiles should all be fitted
with a device requiring a code to be entered before they could be launched. In
what Schlosser calls an "act of defiance" against prissy safety
concerns, the USAF set the password to "00000000" everywhere. I don't
know about you, but that puts the possibility of my Twitter account being
hacked into some sort of perspective.