Monday, 18 November 2013

56. How strong are your online passwords?


You may have read that the online systems of the major software company Adobe were hacked recently.

The hackers got away with the account details of 38 million Adobe users, and that’s an awful lot of passwords. Or is it?

Well, no, the actual number of passwords seems to be disappointingly small, because so many people were using the same easily-guessable passwords.

When the stolen data began appearing on hacker websites, a security researcher named Jeremi Gosney analysed it to see what he could learn about users’ password choices. The top choice, picked by almost two million Adobe users, is '123456’. And amazingly, the third most popular choice was the word ‘password’. The list also includes such gems as 'qwerty’, ‘000000’ and ‘iloveyou’. A notable feature of this Top 20 list is that not one of these passwords includes a capital letter or a symbol. In fact, the entire Top 100 passwords contains not a single uppercase letter or symbol.

The research revealed another interesting fact. Adobe allowed its users to set a so-called ‘password hint’ – a clue to the password – with the intention that if you’d forgotten your password, you could have the hint displayed as a reminder. Apparently, the majority of Adobe users had simply typed their password itself as the hint, thus cheerfully allowing their passwords to be displayed to any passer-by who wanted to know them.

The lessons to be learned from this security breach and others like it are straightforward. First, if you use the passwords ‘123456’, ‘qwerty’ or ‘password’ for anything at all, you might as well not have a password! Second, if you use the ‘password hint’ option to re-enter your password itself, rather than just an oblique clue to it, you don’t really have a password at all. And third, however simple a password you choose, throwing in a capital letter or a symbol (+, *, %, $, etc.) immediately takes your password out of the Top 100 and makes it far less guessable. Be aware however that simply substituting symbols for characters in popular words is the next worse case. Any hacker worth his keystrokes will have no trouble with ’Pa$$word’ ‘He110’ or ‘HarryP0tt3r’, so be careful.


The fourth lesson, unfortunately, is that the first three lessons don’t seem to be getting through!