Sunday, February 8, 2009

The Sin of the Simple Password

This is a dialogue I remember very well, and I have actually quoted it on several posts I wrote in Hebrew:

Alright, what are the three most commonly used

Love, secret, and uh, sex. But not in that
order, necessarily, right?

Yeah but don't forget God. System operators
love to use God. It's that whole male ego

This dialogue is from the movie Hackers, which was screened in the mid-90s. You'd think that 10 years later, computer users will be a bit smarter.

Well, they are not. A while ago, What's My Pass published a very interesting post, containing some of the most stupid passwords ever. The post was titled Top 500 worst passwords. A list is shown there, with a distribution of idiotic passwords, that even a blind mouse can figure out. Not surprisingly - the ultra-smart password - 123456 - is at the top of the list.

The rest of the list isn't very reassuring, either. It contains gems like qwerty, abc123, xxxxxx and lots more.

A few days ago, Robert Graham presented an analysis of the passwords revealed by the phpBB hack. It's not surprising to discover that the same stupid passwords are there, as well. The top 20 passwords from phpBB were:

3.03% "123456"
2.13% "password"
1.45% "phpbb"
0.91% "qwerty"
0.82% "12345"
0.59% "12345678"
0.58% "letmein"
0.53% "1234"
0.50% "test"
0.43% "123"
0.36% "trustno1"
0.33% "dragon"
0.31% "abc123"
0.31% "123456789"
0.31% "111111"
0.30% "hello"
0.30% "monkey"
0.28% "master"
0.22% "killer"
0.22% "123123"

The phpBB system doesn't require a certain password length or complexity from its users. You can use any password you want, and this explains the analysis.

In a day and age when we have to remember log-ins and passwords to dozens of sites, it might be a good idea to choose 2-3 strong passwords that you can remember - and use them. Don't be tempted to use simple, short passwords. They can be easily discovered - especially by people who know you.

Here are the basics for choosing a good, strong password:

  • Include both uppercase and lowercase letters.
  • Include both letters and numbers.
  • Include punctuation marks or symbols (#,!,%,^ - etc.).
  • Do not include your login name or username, in any form (as-is, reversed, capitalized, doubled).
  • Do not include your first name, surname or date of birth.
  • Avoid words that can be found in a dictionary.
  • Do not use a password that has been given as an example of a good password.

Here are some interesting and useful password tools: