Our previous post by Joseph Williams titled ‘Bad passwords or just bad advice’ discussed the poor password habits of an online savvy society. Discussing that “the past few decades [of password advice] hasn’t quite sunk in” (Williams, 2016). In light of the leak of a Yahoo database, most likely tied to the huge data hack in recent headlines, researchers have once again looked at the most popular passwords uncovered.
Insecure passwords such as “123456”, “password”, “abc123”, “welcome” and “qwerty” were among the top ten exposed (Wang et al., 2016). Amongst these classic passwords, other users were using simple combinations of easily identifiable information (e.g. name, age and birthday). Generally, some users make their passwords easy to remember and simple for convenience. Yet, this leads us to an argument of convenience vs security.
Good practice would state that you should use a different password, and strong passwords for each online account, reducing the likeliness that as a user all your accounts could be compromised. We know, however, that users still use a single password, or a differentiator of one password, for a number of accounts. This makes the task for an attacker much simpler.
Researchers at Lancaster University and Universities in China have worked on analysing the leaked database and using algorithms to guess the passwords of accounts based on personal information accessible to attackers. In some cases, “success rates as high as 73%” were guessed correctly, also identifying passwords which users made a little more security-wise (“32%”). Furthermore, one third of the passwords were cracked in “100 guesses” (Wang et al., 2016).
Passwords do not have to be complex. As Williams (2016) discussed, advice provided on safe and secure passwords can be less than beneficial. Yet, it does not have to be hard … the use of password managers can not only make passwords easier to remember, but also convenient to use. These managers can auto-generate lengthy and secure passwords for the user, and store them in an encrypted file on the users’ local machine. Some managers are portable, making access to your passwords even easier. As a user, you are required to remember one master password (yes, just one … what a novelty!) and potentially require access to a key file created linked to accessing the database.
Password managers can therefore reduce the necessity to remember all those online passwords, or even create new ones from something you are likely to remember (usually the information easily guessed). However, what if you do not want to use a password manager, yet you want to be using secure passwords. Here are our top tips on what not to do:
- use names (e.g. your name, family names, those of friends or even your pets)
- use letter or number patterns (e.g., the most common 123456 and abc123)
- use birthdays, birthyears, addresses or postcodes
- use any other personally identifiable information
- use any answers to security questions in your passwords (e.g., any of the above)
- use less than 10 characters
- store them unencrypted anywhere
- write them on easy to lose pieces of paper.
How many of you are guilty for using one of the top ten passwords, or using personally identifiable information?
Will we ever learn to use more secure passwords, and how long will it take us?
References
Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X., 2016. Targeted Online Password Guessing: An Underestimated Threat. ACM Press, pp. 1242–1254. doi:10.1145/2976749.2978339.
Williams, J. (2016) ‘Bad passwords or just bad advice?’, Computing@CCCU, 20 January. Available at: https://computingcccu.wordpress.com/2016/01/20/bad-passwords-or-just-bad-advice/ (Accessed: 07 November 2016).
Computing@CCCU 