I was both annoyed - as a former IT professional - and saddened - as a retired pastor - to see that the human race hasn't changed much . . . at least, not in terms of computer security.
According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.
“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”
Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)
The trove provided an unusually detailed window into computer users’ password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.
“This was the mother lode,” said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.
Imperva found that nearly 1 percent of the 32 million people it studied had used “123456” as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123” and “princess.”
More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.
That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.
“We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations,” Mr. Shulman said. “The reality is that you can be very effective by choosing a small number of common passwords.”
. . .
Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks?
Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.
“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”
In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.
But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.
There's more at the link. It's well worth reading the full article.
Out of the 32 million passwords stolen, the following were used (in descending order of popularity) by about a million RockYou users.
Folks, if you're using a simple, easily-guessed or -hacked password on your social network and/or e-mail accounts, please, please, change it now! There are computer programs out there that can mount a mass attack, trying thousands of passwords in a matter of minutes. The use of easily-guessed passwords like those quoted above makes the job of hackers and cyber-thieves that much simpler.
(I've done what I can to make the lives of cyber-sniffers more difficult if they try to figure out my passwords. Unless they speak Zulu, they won't know where to start . . . and even then, they'd have to know some words that aren't part of the normal introductory Zulu course vocabulary, and combine them in interesting ways. I suspect most Chinese or Russian hackers - who seem to be the most active - won't get very far!)