SplashData's list is as follows:
Rank
|
Password
|
Change from 2012
|
1
|
123456
|
Up 1
|
2
|
password
|
Down 1
|
3
|
12345678
|
Unchanged
|
4
|
qwerty
|
Up 1
|
5
|
abc123
|
Down 1
|
6
|
123456789
|
New
|
7
|
111111
|
Up 2
|
8
|
1234567
|
Up 5
|
9
|
iloveyou
|
Up 2
|
10
|
adobe123
|
New
|
11
|
123123
|
Up 5
|
12
|
admin
|
New
|
13
|
1234567890
|
New
|
14
|
letmein
|
Down 7
|
15
|
photoshop
|
New
|
16
|
1234
|
New
|
17
|
monkey
|
Down 11
|
18
|
shadow
|
Unchanged
|
19
|
sunshine
|
Down 5
|
20
|
12345
|
New
|
21
|
password1
|
Up 4
|
22
|
princess
|
New
|
23
|
azerty
|
New
|
24
|
trustno1
|
Down 12
|
25
|
000000
|
New
|
The media has a habit of picking up the wrong point.. they look at a password of "123456" and ask how can anyone be so stupid to use it? But my somewhat NSFW response is what the fuck does it matter?
Almost everything these days requires registration for which you need to supply an email address and password, and often for trivial things. One of the reasons that gawker featured so highly in the Gawker breach was that to the vast majority of users it matters not one jot if someone hacks into their account. The same is true for a lot of Adobe users.. in most cases the accounts are of absolutely no value to an attacker, so it really doesn't matter if you have adobe123 as a password or not.
So, the media (or at least some of it) says that you should choose a secure password such as fJ4C62GY0I8C15D but their advice is misleading because the real problem is password re-use and not the security of the password per se.
Despite the obvious security problems in doing so, many sites store passwords in plain text or in an insufficiently encrypted format. In these cases, it doesn't matter how secure your password is because the attackers will just be able to read it. Even in cases where the password is encrypted, with enough time and/or rainbow tables the password can often be determined, even it is a complex one.
And if you have re-used that email address and password on other sites.. well, you're buggered basically.
In an ideal world, you would have a nicely secure password for each site and you would remember it in your head. But of course, that's practically impossible, so one option is to use a password manager (SplashData themselves make these) to remember them all for you. There are several different password managers available, but of course there is always the possibility that one of these tools might get hacked itself which could be catastrophic for users.
If you don't want to use a password manager, then you'll have to do it the old-fashioned way, and either remember your passwords or store them in some other manner. You should always have a secure and unique password for your web mail, banking/finance, work and major shopping sites. But for all the cruft that you have to register, there's probably little harm in using a password that it easy to remember. Does it matter if the password I use for ranting at the BBC is abc123? Perhaps it doesn't.
But perhaps one problem is that there are simply too many times that you have to create an account in the first place. Sometimes it is nice to come across a retailer (for example) that will allow you to order stuff without creating a damned account.. something that seems to go against the grain, but it does mean that there's one less password to worry about..
Great post. I wrote something along those lines following the Adobe breach. I'd say that at least 90% of password security should be dealt with on the 'server' side. And 90% of the media stories about password security are about users choosing weak passwords.
ReplyDelete