The most popular passwords at school
So, two months later we’re still lying to our community about the security of their passwords. We tell them that up to 30 characters are fine, and we tell them that we are checking the security of their password. But we’re not: we check the security of the password they chose, then we truncate it to eight characters.
This ends up meaning that the most popular password among our users is “password”. It’s so bad that hackers wouldn’t even need to automate getting into our system.
We have people using all of the common really bad passwords, even though the password would be rejected if the system truncated first.
- 12345678
- password
- iloveyou
- princess
- abcdefgh
- abcd1234
Every one of these passwords would have been rejected if entered like that. The people who have them entered longer passwords, the longer passwords were verified as relatively secure, and then the password was truncated, without telling the account owner, to eight characters.
The top ten are:
- password
- baseball
- football
- princess
- sunshine
- californ
- softball
- basketba
- lacrosse
- tie: superman, volleyba, universi, and chocolat
I’m a little disappointed that chocolate scores so low.
Out of 26,609 accounts, a total of 948 accounts fell to a simple dictionary search1; of those, 58 were “password” and eight were the account’s username. And the users aren’t to blame: they think they have a longer, more secure password, and we’ve gone out of our way to let them believe it.
In response to Embarrassing password tricks: Never trust anyone over 30 characters.
I don’t want to call it a dictionary attack: there was no work involved whatsoever. It’s just the dictionary that happens to come with Mac OS X.
↑
- OMGWTF: Passwords of 93,000 Politicians, Reporters, Bloggers Leaked: Rick Falkvinge at Falkvinge on Infopolicy
- “In what is arguably the largest-scale security breach so far in Sweden that didn’t come in the form of a parliamentary decision, a leak of 93,678 password-email combinations became public today. The accounts belong to all the top reporters, politicians, and bloggers in Sweden.”
More job rants
- Save Me Time, Save Yourself Trouble: Buy Macintosh
- Why the Internet support specialist wants you to buy Macintosh. Hell hath no fury like a Windows user who discovers the Macintosh advantage.
- Anticipating failure
- Whenever a computer expert claims that you won’t have to open the window and that it is okay to seal it shut, require that somewhere on their upgrade they have to include Douglas Adams’s quote about air conditioning.
- IT’s rarefied view of obsolescence
- In IT, where everyone ends up trying to get the latest equipment, it is easy to forget that the rest of the world keeps using things until they are no longer useful.
- Losing and missing the point
- Two random and exceedingly boring observations about letting people play free, and the weight of unquestioned tradition.
- The Slashdot security test
- I’ve found the Slashdot Security Test invaluable: if we implement this process and we get hacked, how will Slashdot posters react?
- 13 more pages with the topic job rants, and other related pages
More passwords
- Security is hard, and 2FA is not the answer
- Is 2-factor authentication the magic bullet in security? Not unless we solve the real problem, which is that people always take the easy way out—and that includes service providers.
- Security questions will always be insecure
- Insecurity questions are insecure because their purpose is to allow access to someone who does not know the access credentials. This trait is shared by zero or one person who has forgotten their password, and an infinitude of people who never knew it in the first place—because they shouldn’t have access.
- Allow men to impersonate exes, transgender activists say
- Some transgender activists want banks to reduce the security on bank accounts, enabling abusive exes to access their victims’ bank accounts.
- Insecurity questions on phones and at banks
- How important are the last four digits of your social security number? That and a high school yearbook can get a hacker your bank account.
- Embarrassing password tricks
- Never trust anyone over 30 characters.