Wednesday, July 20, 2011
Password hell
Today's Independent carries an interesting article on passwords, including a list of the most common. The top choice it seems is 'password', which is startlingly predictable.
They say that passwords have never been that secure. Despite this we have persisted with them to secure our finances and our personal details, often using recognisable words that are convenient, easy to remember and, which we believe to be impossible to guess:
But we're spectacularly unimaginative in our choice of passwords, and despite constant reminders that this represents a security risk, we blithely carry on using them, reassuring ourselves that we haven't been scammed thus far. But that's a bit like wandering blindfolded around busy town centres and saying: "Well, I haven't been hit by a car yet." But passwords will persist, not least because we're hugely resistant to anything more complex.
"They're the least worst in a series of bad options," as one security consultant recently pronounced. Remember our annoyance when British banks started issuing devices such as Barclays' PINsentry to implement a new level of security? We hated the inconvenience, despite them significantly reducing levels of bank-account fraud. We value convenience over security, right up until the point where that security is breached. So Arsenal fans persist in using "arsenal" as a password and deeply resent having to change it, despite the fact that it's one of the most easily guessable passwords they could possibly choose. (Liverpool supporters are just as bad, incidentally.)
Whenever the news features security breaches, from celebrity Twitter accounts to personal data leaks, weak passwords are often to blame. Our laziness in this regard is revealed in statistics that would be hilarious, if the implications weren't so serious. According to data gathered by Mark Burnett, author of the book Perfect Password, 98.8 per cent of us share the same 10,000 passwords. Many online security systems are built to withstand repeated incorrect guesses, but if they aren't, a computer could quickly zip through 10,000 attempts and gain access within a very short space of time.
Nearly one in six people will look at the list below of the top 10 passwords and passcodes and recognise theirs instantly; it seems incredible that "password" is still the most popular password – but it is, with 123456 trailing close behind. "5683" might seem at first glance to be a pretty random passcode or PIN – but it spells out "LOVE" on the keypad, and that's as much of a gift to hackers as the ridiculously common password "iloveyou". These kind of careless, forehead-slapping mistakes are widespread within companies, too.
They say that there are three ways a password can be compromised:
The first is simply to ask us what it is. Social-engineering techniques can persuade us to give it up very easily – for example, via a rogue email purporting to be from a bank. The second is to have a guess, and as we've seen, 10,000 guesses will hit paydirt 98 per cent of the time. The last is brute-force cracking, where all the potential combinations are laboriously worked through until the right one is chanced upon – and that's where the length of password becomes crucial. Pop along to the website howsecureismypassword.net, tap in an eight-character password, and it'll tell you that a desktop PC can guess it in a matter of hours. But extend that to a 12-character password, and we're talking several centuries.
I am relieved that when I put my current Assembly password into this website it said that it would take about 495 years for a desktop PC to crack it. That is not a challenge by the way and in any case I have just changed it.
They say that passwords have never been that secure. Despite this we have persisted with them to secure our finances and our personal details, often using recognisable words that are convenient, easy to remember and, which we believe to be impossible to guess:
But we're spectacularly unimaginative in our choice of passwords, and despite constant reminders that this represents a security risk, we blithely carry on using them, reassuring ourselves that we haven't been scammed thus far. But that's a bit like wandering blindfolded around busy town centres and saying: "Well, I haven't been hit by a car yet." But passwords will persist, not least because we're hugely resistant to anything more complex.
"They're the least worst in a series of bad options," as one security consultant recently pronounced. Remember our annoyance when British banks started issuing devices such as Barclays' PINsentry to implement a new level of security? We hated the inconvenience, despite them significantly reducing levels of bank-account fraud. We value convenience over security, right up until the point where that security is breached. So Arsenal fans persist in using "arsenal" as a password and deeply resent having to change it, despite the fact that it's one of the most easily guessable passwords they could possibly choose. (Liverpool supporters are just as bad, incidentally.)
Whenever the news features security breaches, from celebrity Twitter accounts to personal data leaks, weak passwords are often to blame. Our laziness in this regard is revealed in statistics that would be hilarious, if the implications weren't so serious. According to data gathered by Mark Burnett, author of the book Perfect Password, 98.8 per cent of us share the same 10,000 passwords. Many online security systems are built to withstand repeated incorrect guesses, but if they aren't, a computer could quickly zip through 10,000 attempts and gain access within a very short space of time.
Nearly one in six people will look at the list below of the top 10 passwords and passcodes and recognise theirs instantly; it seems incredible that "password" is still the most popular password – but it is, with 123456 trailing close behind. "5683" might seem at first glance to be a pretty random passcode or PIN – but it spells out "LOVE" on the keypad, and that's as much of a gift to hackers as the ridiculously common password "iloveyou". These kind of careless, forehead-slapping mistakes are widespread within companies, too.
They say that there are three ways a password can be compromised:
The first is simply to ask us what it is. Social-engineering techniques can persuade us to give it up very easily – for example, via a rogue email purporting to be from a bank. The second is to have a guess, and as we've seen, 10,000 guesses will hit paydirt 98 per cent of the time. The last is brute-force cracking, where all the potential combinations are laboriously worked through until the right one is chanced upon – and that's where the length of password becomes crucial. Pop along to the website howsecureismypassword.net, tap in an eight-character password, and it'll tell you that a desktop PC can guess it in a matter of hours. But extend that to a 12-character password, and we're talking several centuries.
I am relieved that when I put my current Assembly password into this website it said that it would take about 495 years for a desktop PC to crack it. That is not a challenge by the way and in any case I have just changed it.