Apps

Poll: Should we abandon the password?

A study of 32 million passwords revealed that "123456" was used by over 290,000 users. Is it time to abandon the password?

IT professionals have long known that most users choose insecure passwords. This fact was proven once again by an analysis of over 32 million passwords--released on the Internet as part of a data breach a RockYou.com. Imperva, a data security firm, analyzed the data and discovered, among other things, that over 290,000 users had a password of "123456".

Here are the top 10 passwords by popularity:

  1. 123456 - 290,731 users
  2. 12345 - 79,078 users
  3. 123456789 - 76,790 users
  4. Password - 61,958 users
  5. Iloveyou - 51,622 users
  6. Princess - 35,231 users
  7. Rockyou - 22,588 users
  8. 1234567 - 21,726
  9. 12345678 - 20,553
  10. abc123 - 17,542

Imperva's analysis also showed that about 30 percent of users had passwords with six of fewer characters and nearly half of users "used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, an so on)." Considering the above information, can passwords ever be secure? Is it time for a new security mechanism? What should that new authentication mechanism be?

Here are a collection of password resources and discussions from other areas of TechRepublic:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

189 comments
mhaley1156
mhaley1156

all you have to do is remember an acronym of some kind... c'mon people. "I can't ever remember a strong password" - and add a number on the end for something to change when the time comes. Icer@sp1, Icer@sp2, Icer@sp3, etc... "my name is Ben and I have a strong password" mniB&Ihasp1, mniB&Ihasp2, mniB&Ihasp3, etc... "You never know what???s coming for you" Ynkwc4U1, Ynkwc4U2, Ynkwc4U3, etc.

Deadly Ernest
Deadly Ernest

passwords as useful or are placed under silly password policies that require too frequent a change to enable them to really remember them. In high security situations, we do need to use some of the other alternatives available, either in place of or with passwords.

blackepyon01
blackepyon01

As my dear sister always says, "Artificial intelligence is no match for natural stupidity."

JCitizen
JCitizen

Is a reliable way to store a bio-metric like facial recognition, which is getting very reliable and hard to spoof, so that the data cannot simply be recorded and played back again by an attacker. But I would STILL keep the password as another factor, even if you might get away with weaker passwords on a more reliable bio-metric system. I realize simply encrypting that metric data is probably not seen as good enough; but I'm talking about a new technology, perhaps hardware based like other NEW two factor systems.

david.hunt
david.hunt

It synchronises between Windows and Palm (plus other platforms), but unfortunately, not Linux. Never-the-less, it is a handy tool that I have recommended to others. I also like KeePass.

reisen55
reisen55

Last year I noticed that an FTP session was open and running on my Windows 2003 Server, kept on my home network. I use it for business testing and keep little client data on it for obvious reasons and this was one strange incident. The FTP attack was coming from an IP that was traced to - TRUE - the Beijing Railroad, China. Somebody FAR away was trying to password blast my server. I keep a fairly complex pass word on it - see my post about hobby protocols - and he or she could not crack it. Still, the FTP service was terminated and I stengthened the password a bit more as a result. This is an excellent example of why passwords ARE IMPORTANT.

sukhen
sukhen

NO, Just don't accept the most simple or common ones.

user support
user support

Is the password an evolution of the challenge during military times? Halt who goes there friend or foe? The guard would offer a sentence challenging the visitor to respond with a word or sentence that only a friend should know. It could have been compromised by spies or by capture of one of his own men. I prefer strong passwords for work and home finance, tax and insurance using my own twist to well known cliches such as "A penny saved is a penny earned" could be a password like Apiape%1 or A1?iape. I sometimes make mistakes but have rarely locked out my work accounts. Even with passwords you still have to protect against con artists which at sometime during my life a new term "social engineering" appeared on the scene. Lastly someone in the threads compared the network permissions to having a key to different locations in the office building. Most offices in the enterprise have moved away from key systems to ID badges to prevent unauthorized access from someone losing a key to someone illegally copying a key.

AbbyD
AbbyD

I first learned this using Windows 2000 and it still works with Windows XP. An unbreakable password can be created using ASCI code symbols. These are unbreakable because two keys are typed to create a single entry. By holding down the ALT key and typing a number on the keypad you generate a symbol. ALT + 3 = ? the heart symbol. ALT + 4 = ? the diamond, etc. You could have a simple password that says "I ? MARY" or any other combination.

johnpowers6
johnpowers6

I don't think we should abandon the password, unless you want to move to pass-phrase or multi-factor authentication methods. However, I've seen the password survey from rockyou.com referenced all over the place, and frankly, it's probably not a good indicator. If I sign up for an account on some trivial site that I may never go to again and/or don't post any personally identifiable info, I often use trivial credentials.

Darren B - KC
Darren B - KC

Heh... we only have about 50 users in my office and I know of two that use "123456" as thier network password. They got them before I was hired. Now, I assign new users thier passwords which consist of letters and numbers derived from thier first and last names, their SSN, their driver's licence number, the number of children they have, how many cars they've owned, the time of day they usually wake up, the street they grew up on, the number of calories in thier evening meal (on average), their net income minus any interest from credit card balances calculated during leap years that had a lunar eclipse occur, AND the number of times they have seen Simon break the hearts of aspiring singers on American Idol. Oh, and one special character. That should do it.

parnote
parnote

Don't make those of us who LOVE to use (and NEED to use) secure passwords pay the price for all the morons out there, who have no concept of how important security is until it's way, way too late. If you want an easy way to create a secure password, think about this: most people (ok, a lot of people, especially IT folks) carry USB thumb drives around with unsecure data that is no huge loss should it become lost. In a folder on there, carry 12 (or 1000 ... the more the better) MP3 files from your favorite band or artist, along with the MD5 Checksums for those files. Pick one song, and use the MD5 Checksum (or a portion of it, or a portion of it mixed with the song title ... it's your choice) as your password. Only YOU know which is the one song you've chosen, out of all the songs on there, to represent your password. DO NOT use the song title alone, but you may mix the song title into the portion of the MD5 Checksum you decide to use. Maybe characters/digits occupying the 2nd thru 8th position of the MD5 Checksum, the first two letters of each word of the song title, and then the last four characters/digits of the MD5 Checksum, minus the last two ... remember that you make the rules how to apply the carry-along password. And don't just carry one or two songs, along with their MD5 Checksums, around. The more songs you carry on the drive, the less suspicious those songs are, and the more secure you password. Also, by carrying many songs around, you can apply the same "rules" for password selection to many places where you have to have a secure password, and you can easily have multiple passwords for multiple places where a password is required, and only use that particular password for only one account. Bonus: If you always use the same rules for determining your passwords, then it's easy to "look up" your password for a given site, since you're carrying many MP3 files (and their accompanying MD5 Checksums) around on your USB flash drive.

santeewelding
santeewelding

You have no idea [i]of[/i] what I am talking about. Does this leave me in the lurch, or you?

pkngresq34
pkngresq34

Passwords should be easy for users. First, have the user log in with a username, and a password. If password fails, then wait a second before letting a person with the same user name try again. If it fails again, then increase the delay to 2 seconds for that user, etc. If you follow such a scheme, you should be quite secure, even with a pretty simple or common password.

vrodhogrider
vrodhogrider

For the average user passwords should be adequate protection, if used correctly, and are less complicated, and less difficult to use than most other methods. Other methods would be even less likely to be employed properly, with lost keys, cards, USB sticks and the like being a frequent problem. Give them an alternative, try to educate them, but don't mandate other methods. We are all responsible for out own screw-ups. On my personal PCs I use 29-Digit Alphanumeric and Special Character passwords which are actually in parts unidentifiable to any but myself. (Even my password "hint" is a chain of unrelated and apparently meaningless words and syllables, to all but myself.) It could be cracked by an expert with the right equipment and programming, but not by anyone else.

TheProfessorDan
TheProfessorDan

The Encentuate SSO only stores the passwords but it's not in a clear text type DB. It's no different than losing your wallet. If you SSO account got hacked, you could change each password. Encentuate has no authority over the passwords it simply passes them onto the application.

LocoLobo
LocoLobo

i.e. no password. What other alternatives are there? Biometrics? That raises the cost of computing. I've thought about card readers like some building security systems. Same objection. Is some security bettern than none? That's what the organization should decide.

David01238
David01238

I would rather have my crew write down a strong password than memorize a weak one.

Oz_Media
Oz_Media

If so, how about a more realistic title? [b]Less than 1% of passwords used to access free, online services use strong passwords.[/b] I know people who use simple passwords, or no password at all, on their home PC's. It doesn't represent their office passwords or their office's server access passwords. The strength of those passwords is the responsibility of their network administrators, not teh user. People don't bother with such passwords for online garbage because a) there's nothing there to steal b) recovery can be a real pain as people often use a free online account for online junk and they are slow and unreliable when you want to access the account fast and forgot your password. Hack my TR password, who cares? Just look at all of that imperative information you will gather! A pseudonym! An online email password so you can read all my spam and junk mail from all the other free online logins! My notebook uses stronger encryption. My server where client files (unreleased music, videos etc) are stored uses stronger passwords again. IN the end if someone REAAAALLLY wants in, they will get in anywhere, no matter what password you use. Will you access my notebook? Not through hacking TR. Will you gather my bank information? Probably much easier ways to get that. [b]"Next week on from the TR Dojo: Chicken little's statistics show that the sky may actually be falling!" Should we prop it up with sticks? VOTE HERE...

dogknees
dogknees

Who do you think might be able to force every login system in the world to stop using passwords? How are we to find every single password protected system snd change them? Who's going to pay for it? I'm over ridiculous categorical statements that do no good to anyone and are essentially meaningless. If you don't really mean ALL passwords, then say so. Saying it without qualification is dumb. It's a little like saying "now we have ubiquitous internet access....". We don't, not all of us. It will be a long time until we do(probably 2-3 decades, if then). It's a stupid statement and shows the author to be a dolt and taints the rest of what might be a good article.

drednot57
drednot57

considering biometric authentication is becoming cheaper, more affordable, and more widespread. I can't really see any reason in the near future why any large organization would stick to using passwords as their main user authentication method. Very hard to replicate fingerprints.

JackOfAllTech
JackOfAllTech

These are the people who click on things they shouldn't and are surprised when bad things happen. These are the people who buy things from spam emails. These are the people who give their CC numbers to operators who are standing by from TV infomercials. In other words, these are the people who make our life difficult and don't even care.

skinch
skinch

Well Lenovo and IBM before them were able to install fingerprint readers on their computers without making the cost prohibitive. I am sure that someone has worked out or shortly will work out how to get a secure website to read the output from a fingerprint reader. As a former user of Linux I quickly learned that Windows users do not really like passwords, most people choose their kids' names or something as weak as the examples in this blog. Great at the theory is (and I pride myself on having a multitude of reasonably good passwords with mixed capitals, lower case and numbers) the weakness is always going to be the end user. I used to work with people who wrote their passwords on post it notes which they stuck to their monitors. Maybe fingerprints are the way forward, I just pity the victim of a theft whose laptop has something really valuable on it. Traumatic amputation of an index finger might put a damper on ones day!

Sheri68
Sheri68

I believe that people need to be more concerned about the security aspect. we should get rid of simple passwords and either make them more complex or go with pass phrases. people need to understand and be educated about this problem.

careeradvisortech
careeradvisortech

I think passwords are getting overused. Every single site even gossip sites want you to have an account with a password. I am tired of it. I pretty much have to use the same passwords over and over because I am tired of having to remember them.

benwal91
benwal91

People can convince others to use harder passwords, but they think if they use 123oct17 is hard... We just had a change of staff in the IT department at church, and I'm suggestion that passwords be changed. Using 'Password1' is easily accessible.

JohnMcGrew
JohnMcGrew

People can't use brainless passwords if you don't let them. I'd build a blacklist database that constantly adds to itself by searching out articles about brainless passwords.

brent.russell
brent.russell

We enforce passwords using 3 of the 4 possible character combos, lower case, upper case, numbers & special characters. Also minimum length of 8 and forced change periods. We also use encryption ( Pointsec) to all laptop drives. Can be pain when they forget and has caused some business issues but keeps us locked down pretty good.

Johnny Bee
Johnny Bee

290,000 is a large number of computers but out of 32 milliion it is less than 1%. Even the military doesn't work to that tight a standard (although they might claim that they do).

piratesmvp04
piratesmvp04

"Many people use bad passwords, so should we abandon the password?" To that, I say, "Many people use bad or no anti-virus software, so should we abandon anti-virus software?" Just because people aren't using it doesn't mean it's a bad thing. Those people who use bad passwords are the ones who are always running into computer problems because of their own stupidity. Also, 290,731 seems like a lot until you see that the sample size for this survey was 32 million.

wilkiejl
wilkiejl

Until there is a universl adoption of a standard biometric method of identification, we still need passwords. For example, if every keyboard had fingerprint identification along with multi-factor authentication, then it goes a long way toward solving the password problem. The multi-factor authentication could just be finger prints from different fingers on any hand (or toe).

fwu
fwu

Seriously...? Passwords are still the easiest security mechanism that can be implemented. Any device/website can also implement a simple algorithm to detect simple/short passwords. The trouble is that no one takes security seriously, including developers/technology specialists. This analysis does not mention what these passwords are being used for also. A simple password is fine for most people that are using an account to "browse" social networks, as these sites don't even require strong passwords. Forums, blog sites, and even TechRepublic do not require strong passwords. Example, banking sites force users to have relatively secure passwords, e.g. password length minimum, case-sensitivity, roman numerals. It's a no-brainer that anything worth protecting on the internet will and should require strong passwords.

Neon Samurai
Neon Samurai

We really should abandon the password. At 15~20 + characters properly randomized from lower/capitals/numbers/symbols, it's really coming time to look at a new standard. The password is portable though and avoids "but now I have to carry another piece for my computer" complaints. we're not multi-factor authentication here but we really should be as should any other place be. The trick is finding a clean multi-factor system that does not include a password layer. Then this has to be presented to average users who see safe computing as a hassle rather than the bare minimum any operator should be doing.

A. C. Metcalf
A. C. Metcalf

The password situation has gotten ridiculous. Human beings are not that lazy, however, when you have a "password" for your job--probably a minimum of three of them, then a password for your home computer which is possibly also linked to your job, passwords for the various websites you're interested in, passwords for your banking, and on and on, you end up having to write them down, which is very unsafe, or equally so, use the same one.

Freetime000
Freetime000

Enforcing strong passwords only makes your security weaker because peopel will write down your complex passwords and stick it to their keyboard!

Brian G
Brian G

If you're talking about crap sites where I have to create an account to get any use of it, 12345 would be a good password considering I may never come back to that site. If your talking about an account to a financial site that has all your personal data then using 12345 would be a big deal.

reisen55
reisen55

There was one woman I worked with who spoke and read Irish Gaelic, which is impossible to crack. Otherwise, I use a combination of Hobbies for my users and this is a personal interest that users never EVER forget and can use in interesting combinations. Example: Civil War fanatics can use battles, commanders and dates in various combinations... Shiloh1862 1863Vicksburg With a capital in there, not a bad protocol.

CharlieSpencer
CharlieSpencer

If we're abandoning the password, what are we replacing it with? Specifically, what cheap, portable method of authentication are we replacing it with? I agree there's a problem; what's the affordable solution?

joseph.slive
joseph.slive

...and open heart surgury doesn't alway work either. Should we abandon that. This is a training issue and an administration issue. GPO's can be set to require minimun length and inforce the requirement for alphanumeric combinations.

georgeh
georgeh

that's still only 2%

Al_nyc
Al_nyc

Of course not. Passwords are necessary.

Bill Detwiler
Bill Detwiler

A study of 32 million passwords revealed that "123456" was used by over 290,000 users. After decades of trying to convince users to create strong passwords, is it time to admit that password are inherently insecure? Take the poll and let me know? Original post and poll: http://blogs.techrepublic.com.com/itdojo/?p=1473

Editor's Picks