Sunday, December 28, 2008

Bad Passwords

Simple Security Tip: Don't Use A Bad Password

The last several weeks I've been trying to persuade you readers to improve your computing experience by switching to Linux. You may not be ready, and I understand. But here's something you can do in minutes to improve your computer security: change your password.

You recall last fall when Sarah Palin's personal email got hacked. I'm not sticking up for the folks who did that, though I will note that she was using the personal account in a deliberate effort to keep state business off the record. But from a techie standpoint, one of the reasons was because she used a bad password--a seven letter dictionary word ("popcorn").

Dictionary words, given names and consecutive keys are way too common, and not too hard for 733+ H4X0R$ to figure out. The "brute force" method of breaking and entering uses a dictionary file of words and combinations.

What's My Pass? has compiled a list of the 500 most common, worst passwords. "Approximately one out of every nine people uses at least one password on the list, and one out of every 50 people uses one of the top 20 worst passwords."

It's an interesting Rohrshach test: What do these micro-choices, compiled, say about a society? We tend to advertise our loyalties with desktop totems and with bumper stickers or even with tattoos, and unfortunately we tend to think of those loyalties when staring at a password prompt for the first time. What's the first thing people think of? What do you value in six to eight characters?

The number one password is "123456," one of five consecutive character combinations in the top ten. Is that laziness, lack of creativity?

The only non-consecutive number combo in the top 10 is "696969." Sexual and profane words abound all over the top 500. Interestingly, the sexual vocabulary is used far more than the excretory vocabulary.

Speaking of number two, the second most used password is, and I kid you not, "password." My guess is this, and stuff like "computer," "letmein," or the pathetic "helpme," is technophobes forced into computer use at work.

For the materialists among us, makes of cars are common, with "mustang" topping the list an number 10. There's more individual given names than models of cars, so you can't tell how many people rank their cars ahead of people. And is that given name a spouse, child, or pet? (I see one of my cats and an ex-girlfriend here...)

Sports teams are big, too, and the interesting thing here is which teams rank highest. This could indicate either relative popularity, or relative stupidity of the fans. This is harder to figure out than you think. Is "dallas" the result of IT making you change it from "cowboys?" Does "magic" indicate an Orlando fan or a Harry Potter fan? And I'll be Amero-centric and assume that "united" is just a word and not a reference to Manchester United.

With those caveats, here are the top, unquestionable, All-American sports team nicknnames as passwords:

  • yankees
  • tigers
  • cowboys
  • eagles
  • steelers
  • gators
  • flyers
  • braves
  • rangers
  • lakers

    And yes, "packers" is in the top 500.

    As for sports themselves, there's four in the top 100. Baseball, surprisingly, outranks football, with soccer ahead of hockey. Basketball must just be too many letters to type. NASCAR falls just short of the top 100, but of course is not a sport.

    Even self-identifying geeks aren't hard to figure out, with the Enterprise's ncc1701 on the list. Comic book fans: Batman outranks superman.

    You don't have to go with a Microsoft install, 25 alphanumeric character password. But your password is the wrong place to wear things on your sleeve.
  • No comments: