Apps

Poll: Should we abandon the password?

A study of 32 million passwords revealed that "123456" was used by over 290,000 users. Is it time to abandon the password?

IT professionals have long known that most users choose insecure passwords. This fact was proven once again by an analysis of over 32 million passwords--released on the Internet as part of a data breach a RockYou.com. Imperva, a data security firm, analyzed the data and discovered, among other things, that over 290,000 users had a password of "123456".

Here are the top 10 passwords by popularity:

  1. 123456 - 290,731 users
  2. 12345 - 79,078 users
  3. 123456789 - 76,790 users
  4. Password - 61,958 users
  5. Iloveyou - 51,622 users
  6. Princess - 35,231 users
  7. Rockyou - 22,588 users
  8. 1234567 - 21,726
  9. 12345678 - 20,553
  10. abc123 - 17,542

Imperva's analysis also showed that about 30 percent of users had passwords with six of fewer characters and nearly half of users "used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, an so on)." Considering the above information, can passwords ever be secure? Is it time for a new security mechanism? What should that new authentication mechanism be?

Here are a collection of password resources and discussions from other areas of TechRepublic:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

189 comments
mhaley1156
mhaley1156

all you have to do is remember an acronym of some kind... c'mon people. "I can't ever remember a strong password" - and add a number on the end for something to change when the time comes. Icer@sp1, Icer@sp2, Icer@sp3, etc... "my name is Ben and I have a strong password" mniB&Ihasp1, mniB&Ihasp2, mniB&Ihasp3, etc... "You never know what???s coming for you" Ynkwc4U1, Ynkwc4U2, Ynkwc4U3, etc.

Deadly Ernest
Deadly Ernest

passwords as useful or are placed under silly password policies that require too frequent a change to enable them to really remember them. In high security situations, we do need to use some of the other alternatives available, either in place of or with passwords.

blackepyon01
blackepyon01

As my dear sister always says, "Artificial intelligence is no match for natural stupidity."

JCitizen
JCitizen

Is a reliable way to store a bio-metric like facial recognition, which is getting very reliable and hard to spoof, so that the data cannot simply be recorded and played back again by an attacker. But I would STILL keep the password as another factor, even if you might get away with weaker passwords on a more reliable bio-metric system. I realize simply encrypting that metric data is probably not seen as good enough; but I'm talking about a new technology, perhaps hardware based like other NEW two factor systems.

david.hunt
david.hunt

It synchronises between Windows and Palm (plus other platforms), but unfortunately, not Linux. Never-the-less, it is a handy tool that I have recommended to others. I also like KeePass.

reisen55
reisen55

Last year I noticed that an FTP session was open and running on my Windows 2003 Server, kept on my home network. I use it for business testing and keep little client data on it for obvious reasons and this was one strange incident. The FTP attack was coming from an IP that was traced to - TRUE - the Beijing Railroad, China. Somebody FAR away was trying to password blast my server. I keep a fairly complex pass word on it - see my post about hobby protocols - and he or she could not crack it. Still, the FTP service was terminated and I stengthened the password a bit more as a result. This is an excellent example of why passwords ARE IMPORTANT.

sukhen
sukhen

NO, Just don't accept the most simple or common ones.

user support
user support

Is the password an evolution of the challenge during military times? Halt who goes there friend or foe? The guard would offer a sentence challenging the visitor to respond with a word or sentence that only a friend should know. It could have been compromised by spies or by capture of one of his own men. I prefer strong passwords for work and home finance, tax and insurance using my own twist to well known cliches such as "A penny saved is a penny earned" could be a password like Apiape%1 or A1?iape. I sometimes make mistakes but have rarely locked out my work accounts. Even with passwords you still have to protect against con artists which at sometime during my life a new term "social engineering" appeared on the scene. Lastly someone in the threads compared the network permissions to having a key to different locations in the office building. Most offices in the enterprise have moved away from key systems to ID badges to prevent unauthorized access from someone losing a key to someone illegally copying a key.

AbbyD
AbbyD

I first learned this using Windows 2000 and it still works with Windows XP. An unbreakable password can be created using ASCI code symbols. These are unbreakable because two keys are typed to create a single entry. By holding down the ALT key and typing a number on the keypad you generate a symbol. ALT + 3 = ? the heart symbol. ALT + 4 = ? the diamond, etc. You could have a simple password that says "I ? MARY" or any other combination.

johnpowers6
johnpowers6

I don't think we should abandon the password, unless you want to move to pass-phrase or multi-factor authentication methods. However, I've seen the password survey from rockyou.com referenced all over the place, and frankly, it's probably not a good indicator. If I sign up for an account on some trivial site that I may never go to again and/or don't post any personally identifiable info, I often use trivial credentials.

Darren B - KC
Darren B - KC

Heh... we only have about 50 users in my office and I know of two that use "123456" as thier network password. They got them before I was hired. Now, I assign new users thier passwords which consist of letters and numbers derived from thier first and last names, their SSN, their driver's licence number, the number of children they have, how many cars they've owned, the time of day they usually wake up, the street they grew up on, the number of calories in thier evening meal (on average), their net income minus any interest from credit card balances calculated during leap years that had a lunar eclipse occur, AND the number of times they have seen Simon break the hearts of aspiring singers on American Idol. Oh, and one special character. That should do it.

parnote
parnote

Don't make those of us who LOVE to use (and NEED to use) secure passwords pay the price for all the morons out there, who have no concept of how important security is until it's way, way too late. If you want an easy way to create a secure password, think about this: most people (ok, a lot of people, especially IT folks) carry USB thumb drives around with unsecure data that is no huge loss should it become lost. In a folder on there, carry 12 (or 1000 ... the more the better) MP3 files from your favorite band or artist, along with the MD5 Checksums for those files. Pick one song, and use the MD5 Checksum (or a portion of it, or a portion of it mixed with the song title ... it's your choice) as your password. Only YOU know which is the one song you've chosen, out of all the songs on there, to represent your password. DO NOT use the song title alone, but you may mix the song title into the portion of the MD5 Checksum you decide to use. Maybe characters/digits occupying the 2nd thru 8th position of the MD5 Checksum, the first two letters of each word of the song title, and then the last four characters/digits of the MD5 Checksum, minus the last two ... remember that you make the rules how to apply the carry-along password. And don't just carry one or two songs, along with their MD5 Checksums, around. The more songs you carry on the drive, the less suspicious those songs are, and the more secure you password. Also, by carrying many songs around, you can apply the same "rules" for password selection to many places where you have to have a secure password, and you can easily have multiple passwords for multiple places where a password is required, and only use that particular password for only one account. Bonus: If you always use the same rules for determining your passwords, then it's easy to "look up" your password for a given site, since you're carrying many MP3 files (and their accompanying MD5 Checksums) around on your USB flash drive.

santeewelding
santeewelding

You have no idea [i]of[/i] what I am talking about. Does this leave me in the lurch, or you?

pkngresq34
pkngresq34

Passwords should be easy for users. First, have the user log in with a username, and a password. If password fails, then wait a second before letting a person with the same user name try again. If it fails again, then increase the delay to 2 seconds for that user, etc. If you follow such a scheme, you should be quite secure, even with a pretty simple or common password.

vrodhogrider
vrodhogrider

For the average user passwords should be adequate protection, if used correctly, and are less complicated, and less difficult to use than most other methods. Other methods would be even less likely to be employed properly, with lost keys, cards, USB sticks and the like being a frequent problem. Give them an alternative, try to educate them, but don't mandate other methods. We are all responsible for out own screw-ups. On my personal PCs I use 29-Digit Alphanumeric and Special Character passwords which are actually in parts unidentifiable to any but myself. (Even my password "hint" is a chain of unrelated and apparently meaningless words and syllables, to all but myself.) It could be cracked by an expert with the right equipment and programming, but not by anyone else.

TheProfessorDan
TheProfessorDan

The Encentuate SSO only stores the passwords but it's not in a clear text type DB. It's no different than losing your wallet. If you SSO account got hacked, you could change each password. Encentuate has no authority over the passwords it simply passes them onto the application.

LocoLobo
LocoLobo

i.e. no password. What other alternatives are there? Biometrics? That raises the cost of computing. I've thought about card readers like some building security systems. Same objection. Is some security bettern than none? That's what the organization should decide.

David01238
David01238

I would rather have my crew write down a strong password than memorize a weak one.

Oz_Media
Oz_Media

If so, how about a more realistic title? [b]Less than 1% of passwords used to access free, online services use strong passwords.[/b] I know people who use simple passwords, or no password at all, on their home PC's. It doesn't represent their office passwords or their office's server access passwords. The strength of those passwords is the responsibility of their network administrators, not teh user. People don't bother with such passwords for online garbage because a) there's nothing there to steal b) recovery can be a real pain as people often use a free online account for online junk and they are slow and unreliable when you want to access the account fast and forgot your password. Hack my TR password, who cares? Just look at all of that imperative information you will gather! A pseudonym! An online email password so you can read all my spam and junk mail from all the other free online logins! My notebook uses stronger encryption. My server where client files (unreleased music, videos etc) are stored uses stronger passwords again. IN the end if someone REAAAALLLY wants in, they will get in anywhere, no matter what password you use. Will you access my notebook? Not through hacking TR. Will you gather my bank information? Probably much easier ways to get that. [b]"Next week on from the TR Dojo: Chicken little's statistics show that the sky may actually be falling!" Should we prop it up with sticks? VOTE HERE...

dogknees
dogknees

Who do you think might be able to force every login system in the world to stop using passwords? How are we to find every single password protected system snd change them? Who's going to pay for it? I'm over ridiculous categorical statements that do no good to anyone and are essentially meaningless. If you don't really mean ALL passwords, then say so. Saying it without qualification is dumb. It's a little like saying "now we have ubiquitous internet access....". We don't, not all of us. It will be a long time until we do(probably 2-3 decades, if then). It's a stupid statement and shows the author to be a dolt and taints the rest of what might be a good article.

drednot57
drednot57

considering biometric authentication is becoming cheaper, more affordable, and more widespread. I can't really see any reason in the near future why any large organization would stick to using passwords as their main user authentication method. Very hard to replicate fingerprints.

JackOfAllTech
JackOfAllTech

These are the people who click on things they shouldn't and are surprised when bad things happen. These are the people who buy things from spam emails. These are the people who give their CC numbers to operators who are standing by from TV infomercials. In other words, these are the people who make our life difficult and don't even care.

skinch
skinch

Well Lenovo and IBM before them were able to install fingerprint readers on their computers without making the cost prohibitive. I am sure that someone has worked out or shortly will work out how to get a secure website to read the output from a fingerprint reader. As a former user of Linux I quickly learned that Windows users do not really like passwords, most people choose their kids' names or something as weak as the examples in this blog. Great at the theory is (and I pride myself on having a multitude of reasonably good passwords with mixed capitals, lower case and numbers) the weakness is always going to be the end user. I used to work with people who wrote their passwords on post it notes which they stuck to their monitors. Maybe fingerprints are the way forward, I just pity the victim of a theft whose laptop has something really valuable on it. Traumatic amputation of an index finger might put a damper on ones day!

Sheri68
Sheri68

I believe that people need to be more concerned about the security aspect. we should get rid of simple passwords and either make them more complex or go with pass phrases. people need to understand and be educated about this problem.

careeradvisortech
careeradvisortech

I think passwords are getting overused. Every single site even gossip sites want you to have an account with a password. I am tired of it. I pretty much have to use the same passwords over and over because I am tired of having to remember them.

benwal91
benwal91

People can convince others to use harder passwords, but they think if they use 123oct17 is hard... We just had a change of staff in the IT department at church, and I'm suggestion that passwords be changed. Using 'Password1' is easily accessible.

JohnMcGrew
JohnMcGrew

People can't use brainless passwords if you don't let them. I'd build a blacklist database that constantly adds to itself by searching out articles about brainless passwords.

brent.russell
brent.russell

We enforce passwords using 3 of the 4 possible character combos, lower case, upper case, numbers & special characters. Also minimum length of 8 and forced change periods. We also use encryption ( Pointsec) to all laptop drives. Can be pain when they forget and has caused some business issues but keeps us locked down pretty good.

Neon Samurai
Neon Samurai

We tried the finger scanner now standard on the Lenovos. It seems to have good days and bad. When it's working, it's great to just swipe and go. On bad days, if I swiped more than three times without a green checkmark, I'm entering my password rather than continuing with the scanner gimic. We had a suer setup there own fingerprints on a new laptop and miss checking the "allow password as secondary". That user ended up locked out of there work machine for half a week after some carpentry shredded there prints. After the second user locked themselves out, we started simply deleting the print profile leaving the machine to default back to a password entry. The lesson; keep passwords available as backup because biometrics are just not that good yet.

Neon Samurai
Neon Samurai

My keepass database can be opened from the interface app on nearly any platform I can think of. Windows, *nix, Palm, WinCE.. Android and Iphone apps are probably on there way if not already available. It's a fantastic application and only gets better if you regularly move between platforms.

inet32
inet32

"Somebody FAR away was trying to password blast my server" Pasword blasting is a good reason to have a delay on passwords. Even a few seconds can dramatically slow down the blasters. 6 alphanumeric characters even if they were all one case, has over 2 billion combinations. (36^6) So if you had a 5 second delay it would take 1260 DAYS (over 3 years) of continuous blasting to try _1%_ of the possible combinations, if I did my math right.

AbbyD
AbbyD

Try this, it is simple and it works. Create an ASCI code symbol in the password by holding down the ALT key and pressing a number on the keypad.

AbbyD
AbbyD

In typing my examples of the heart and diamond symbol in ASCI code the symbols appeared in the reply box but showed up as questions marks (?) in the Comments. Never the less, it does work.

Bill Detwiler
Bill Detwiler

I think you're making an inaccurate assumption about the average person's willingness to create different passwords for the umpteen systems they uses on a regular basis. In my experience, most users have three or four passwords and rotate those among the systems they use--if they rotate them at all. As for 290K being a small percentage of 32 million, that's true. However, the study also found that nearly 50 percent of users had passwords that "used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, an so on).?

santeewelding
santeewelding

A certification, somewhere, as to Emergency Technical Technician, for whom who cares about those in fatal distress? In order to do that, as I have learned, one must drop all pretense as to inferiority or superiority. One must go eye to eye, aspiring only to that, and, to acquit yourself honorably. If there is another way, I need to hear about it.

JCitizen
JCitizen

from what I see on tech TV shows, facial recognition is leaping ahead; probably because of the demand for anti-terrorism technology. But wide spread use at the TSA may bring hardware/software prices down. I'm not sure if a web-cam is sufficient to service the newer algorithms.

JCitizen
JCitizen

And not your PC? Have they developed a reputation? Just curious, as I have no idea how long the company, LastPass, that I use has been in business. I rather recklessly relied on CNET user reviews. But I'm not always as paranoid as I usually let on.

NickNielsen
NickNielsen

"The password you entered is invalid. Passwords can only contain letters and numbers. (A-Z, 0-9)" I've received that error more than once from a site where I much prefer to have a stronger password. Unfortunately, the web sites I receive this error from include the web sites I use to submit my work expenses and change my deductions.

Oz_Media
Oz_Media

No matter how well their passwords are secured, it was the sever that provided the list that was compromised, not teh passwords themselves. People don't bother about passwords on those types of websites, the information uploaded is public anyway. It's like TR, you guys can publish ANYTHING I type here at will, it becomes your property once it is posted so I don't offer any personal, private data. Hacking TR is not going to access by bank account or hard drive. When using a company PC, the IT department is responsible for password strength, you can decide how strogn passwords need to be by requesting the use of capitals mized with lower case, a number added, a symbol added etc. I have several passwords where teh only way I can access a site is if my password choice adheres to strict password allowances, it shows my the strength of the password and if it meets the minimal allowable criteria it is accepted. I can't use 1234567, it simply will not accept my choice when asking me to choose a password and tells me to use something else, ie: "You must use a mix of numbers and letters, both upper and lower case, nouns are not accepted". etc. That is not up to the user, it's up to the IT department running the server.

Neon Samurai
Neon Samurai

ah.. the small town.. where the news of my getting in trouble on the walk home reached my parents before I did. Yeah, there's no getting away from "where everybody knows your name".

JCitizen
JCitizen

before; I believe it was a Science Channel show that featured a new algorithm that can't even be fooled by plastic surgery or a mask! I've always liked living in small towns, so being able to go incognito is not important to me. I couldn't hide if I wanted to around here! Even if Big Brother wants to waste the time it takes to watch everybody, the follow up is very manpower extensive, as homeland security is finding out about phone surveillance. When you got 6 billion plus people in the world, technology doesn't stand a chance of complete Orwellian control. Even in this small community an attempted murderer eluded the police in broad daylight for three months! Wasn't anyone in 50 miles that didn't know that guy!

Neon Samurai
Neon Samurai

I don't see how scanning every face on the sidewalk and logging the results is any different from an ISP dropping a deep packet inspection box and linking traffic flow with the applicable user. Or worse, webservers that place the box on the remote end for the same tracking purposes. I remember going to my subway stop and there where no cameras. One day there was a row of three facing one direction. A week later a second row turned up to complete the camera trap. Now we are all safe and audited by the watchful eye of Uncle so we can feel safe in the subway. The traps are at all entrance points. I also used to play spot the camera when out and about down town. I never could find the 7th camera in the corner store; I was a regular and made a game of it with the owner. If you really want to have some fun, download these and play them through in the background. I believe Mr Rambam discussion facial recognition now at the point where you can pretty much cover your face and still be identified and profiled. http://www.thelasthope.org/media/audio/64kbps/Featured_Speaker_-_Steven_Rambam_(Part_1).mp3 http://www.thelasthope.org/media/audio/64kbps/Featured_Speaker_-_Steven_Rambam_(Part_2).mp3 (all due credit to 2600 Magazine for providing these talks for download.)

JCitizen
JCitizen

Or do you mean defense? I'm confused.. I shudder the thought!

Neon Samurai
Neon Samurai

As an attack, facial recognition can only improve. It is already do the point dark glasses and a hoodie don't stop it. Add in gate (walk) recognition and it gets really scary.

JCitizen
JCitizen

I'm not even sure what mine uses. I do believe AES has the honors for now!

Neon Samurai
Neon Samurai

The choice of encryptiong for the data file was a selling feature. I believe AES is still pretty strong. hopefully, if stolen, it takes longer than my regular password change period for someone to bruteforce my datafile. This is also a reason I keep close watch of where the data file is and how it's accessible though too.

JCitizen
JCitizen

and since you control the data, you can trust yourself. Wonder if there is any reason to fear for attackers absconding with the encrypted data and cracking it in their lab? I've been reading the crimiinals are getting some awesome computing power for this. In fact the bot-net can be utilized for this. It's one big computer! I'm recklessly trusting my data stored in the cloud, but someone has to start somewhere in trusting these companies! I didn't bother to learn if it is cross-platform. But I think it has the same capabilities as yours, otherwise.

Neon Samurai
Neon Samurai

It's open source and has been around for many years now. I can't remember when I put my first password into it or how long it was around previous to my finally looking at it. Keepass has two parts; the application, the data file. The data file can be encrypted by passphrase or cert files as preferred and can be stored anywhere the application can open it from. The application runs locally and comes in native builds for many different platforms including Blackberry. I keep the data file on my flashdrive and a synced copy on my N810. Also on the N810, I have a QT version of Keepass installed to read the account entries. On the flashdrive, I keep a portableapp version of Keepass (win) to read and edit the account entries. KeepassX is in the Debian repositories so I have it installed locally on my Debian boot to read the data file off the flashdrive as needed. The osX machine has the native keepass application installed on it also to read the data file from my flashdrive if needed. Another option to the flashdrive would be to rsync the data file out to each of the machines needed but there is no reason to increase the available copies of that data. Consider a situation where a list of accounts need to be shared among multiple users (IT admin team perhaps). Keep the data file in a secure central location and have it synced out to the relevant IT tech's flashdrives. Just be sure that when a change is made to an entry, it's synced back to the central storage and other techs get it before adding more changes. Cert or strong passphrase AES encrypted data blob; that should be enough to protect my account list for now. Either Keepass will continue to be maintained and evolve along with encryption or I'll export my list to cleartext and import it into what comes next. The advantage is a cross platform application and seporate data file. Previously, I used Locknote which is basically Notepad with a password and modified to save whatever text you write back into it's own exe. The advantage was that one just copied the .exe to a new location as desired. The disavantage was that one just copied the .exe to a new location and went home to crack it (not great enryption in that little modified notepad). http://keepass.info/ http://en.wikipedia.org/wiki/KeePass

AbbyD
AbbyD

I'm sure that not everything you use a password for will accept ASCI codes but I was only talking about using them for log-on to Windows operating systems.