Your #password is #easy to #crack We all know #cyber-#gangs are out there #attacking #websites, hoping to #raid our #bank #accounts. Yet a #new #report says our most #common password is still 123456. Is it #laziness that makes us so #careless or something else? Share 376 Email Steven Poole Steven Poole The Guardian, Wednesday 22 January 2014 18.43 GMT Jump to comments (257) passwords Why do we still use such #weak passwords? Photograph: Zmeel Photography/Getty Images #Modern #life #demands of us a seemingly endless series of #trivial #choices, not the least of which is the requirement to make up a password for your hundred-and-somethingth web account. Who can be bothered to create and #memorize yet another twisty bolus of alphanumeric gibberish? Not many of us, it seems. According to a new report by Splashdata, the most common password in 2013 was 123456, closely followed by that faithful old standby, password, which it is somehow charming to see still so popularly deployed. Is this sheer laziness, a lack of security education, or something else? Some of the other popular passwords on Splashdatas list (mined mainly from a huge leak of Adobe customers details) do begin to paint an intriguing portrait of the collective digital id. Isnt it heartwarming to see iloveyou at No 9? (Unless people are typing it to themselves, which would imply that extensive use of the internet really does turn you into a frothing narcissist.) At No 14 is letmein, which one cant help hearing as containing an implied goddammit at the end. (It also reminds us that a password was originally spoken to gain admission to secure parts of a palace or military installation.) Somewhat surprisingly, No 17 is monkey, whether out of general admiration for our simian cousins or a hitherto unsuspected upsurge in popularity of the seminal 1970s kung-fu show it is hard to tell. At 24 on the list, presumably contributed by a lot of The X-Files fans, is trustno1. But this seems a bit contradictory. If you really were a paranoid sci-fi enthusiast who believed that the government was run by aliens, wouldnt you choose a stronger password? On the other hand, if it is government snooping in particular that you care about, you will suspect that passwords are irrelevant, since we now know the NSA and GCHQ can hack into just about anything. But spies arent the only ones looking; there are also cyber-gangs mounting sophisticated attacks on websites in order to hoover up ID details, credit-card information, and so on. Why make it easy for them? Tom Stafford, lecturer in psychology and cognitive science at the University of Sheffield, says: Most people seem to believe there is little risk in having weak passwords – most of us seem to rely on security by obscurity. Obviously this isnt a wise choice as more and more of our lives are online. It has long been known, moreover, that even when people are encouraged to choose a password stronger than 123456 or admin, they tend to fall into predictable patterns. According to a 2006 study by Shannon Riley of the psychology of password generation, users typically use birthdates, anniversary dates, telephone numbers, licence plate numbers, social security numbers, street addresses, apartment numbers, etc. Likewise, personally meaningful words are typically derived from predictable areas and interests in the persons life and could be guessed through basic knowledge of his or her interests. Hence all the TV detectives who guess brilliantly that the suspects laptop password is the name of her dog. We should hesitate to interpret these findings as showing that ordinary internet users are just stupid, however. The firm that compiled this list, Splashdata, sells password-management software, so it is understandable that the lesson it derives from its findings is that people should choose stronger passwords, perhaps with the benign help of its own products. So why dont they? One reason might be that, since we all think that some of our accounts (for example, banking, Facebook) are more important than others (a Tumblr that sends you a picture of a kitten every morning), we believe it doesnt matter if we use weak passwords for the latter. But this is risky since it means those services become a big target for hackers, as Adobes did. Indeed, the rise of two-factor authentication – where you need both a password and a unique code generated by your smartphone to log in – is beginning to ease the password problem for services people really care about, such as email or Dropbox. So it is those disposable accounts that are really the dangerous ones. This is all the more galling when one considers that, according to a 2010 study by Joseph Bonneau and Sören Preibusch, many websites use passwords primarily for psychological reasons, both as a justification for collecting marketing data, and as a way to build trusted relationships with customers – in other words, the password demand is a commercially motivated placebo to begin with. The second reason people might be driven to choose such weak passwords when they can get away with it is because technologys way of attempting to save us from ourselves is so irritating. You know the drill on some websites: your password must be between eight and 12 characters long, and contain a mixture of upper-case and lower-case letters, as well as numbers, punctuation marks, currency symbols, sad-faced emoji and the Chinese characters for For heavens sake, will this do?. It is unlikely you will remember one of those, let alone dozens. Stafford says: For me, passwords are a great example of how technology asks us to be more like computers rather than computers learning to be more like us. Recommended passwords are strings of arbitrary letters, numbers and strings – exactly the thing it is easy for computers to store, and difficult for humans. Its the reserve of the early dreams of artificial intelligence, asking our intelligence to be more like the artificial. As it happens, it is also simply bad security. In point of mathematical fact, a picturesque phrase such as lemon Beyoncé anvil cake is far more difficult to crack than j&!Wo078:(((, because every extra character of password length expands the combinatorial possibilities in dizzying fashion. This is well known to fans of the web-comic XKCD, which has explained why a brute-force attempt to hack the password correct horse battery staple would take a fast computer 550 years. (The geek joke is that, since that cartoon appeared, everyones password is now correct horse battery staple.) The wholesale replacement of text passwords by reliable biometrics (such as fingerprint scanners) is one of those technological promises that has been around for decades and still has not come to fruition, despite the fingerprint sensor on the new iPhone. In the meantime, I like to think of the millions of people choosing password for their password as a kind of silent dissident movement, a virtual groundswell of sardonic protest at the manifold laborious annoyances of digital existence. If you doubt that a simple password can be sarcastic, consider number 25 on the most-popular list, 000000, which has a curious historical analogue. In the late 1970s, according to Eric Schlossers recent book about nuclear security, Command and Control, it was decided that the US air forces Minuteman nuclear missiles should all be fitted with a device requiring a code to be entered before they could be launched. In what Schlosser calls an act of defiance against prissy safety concerns, the USAF set the password to 00000000 everywhere. I dont know about you, but that puts the possibility of my Twitter account being hacked into some sort of perspective. theguardian/technology/2014/jan/22/your-password-is-easy-to-crack?guni=Network%20front:network-front%20main-5%20on%20the%20guardian:Network%20front%20-%20all-purpose%20editable%20trailblock:Position3
Posted on: Thu, 23 Jan 2014 11:44:40 +0000