Recently, password files from several social media systems, including LinkedIn, Twitter, and MySpace, have reportedly been hacked and made available. And despite all the warnings about good password hygiene, bad passwords still abound.
When it comes to senseless passwords, it appears that no one is immune. Even tech CEOs like Facebook’s Mark Zuckerberg and Oculus’ Brendan Iribe have been outed for bad password practices—Zuckerberg for using “dadada” and Iribe for using a four-year-old MySpace password, reports the BBC. (To add insult to injury, not only is “dadada” bad, but it is apparently an old password that Zuckerberg was still using.)
Looking at the most used passwords from some highly trafficked social media sites seems to indicate that a lack of creative thinking helps people generate weak passwords that even a novice hacker could figure out. So, what exactly is the type of password that can be easily hacked?
A 2012 LinkedIn password file, with 167 million accounts, listed its most popular passwords:
- 123456 (753,305 instances among the breach)
- Linkedin (172,523)
- Password (144,458)
- 123456789 (94,314)
- 12345678 (63,769)
- 111111 (57,210)
- 1234567 (49,652)
- Sunshine (39,118)
- Qwerty (37,538)
- 654321 (33,854)
A 32 million entry password file from Twitter was also released, with similar results:
- 123456 (120,417 instances)
- 123456789 (32,775)
- Qwerty (22,770)
- Password (17,471)
- 1234567 (14,401)
- 1234567890 (13,799)
- 12345678 (13,380)
- 123321 (13,161)
- 111111 (12,138)
- 12345 (11,239)
In some cases, the issue is related to a hacking group called OurMine, which allegedly obtained stolen password files for social media services, looked for celebrities, then tried those same passwords on other social media services. But in reality, all of us—famous or not—are vulnerable to security breaches of our online accounts and it’s up to us to be diligent about protecting our online data.
Yet even when we try harder to come up with better passwords, we aren’t very good at it, writes Nikhil Sonnad in Quartz. “To make a ‘strong’ password that they won’t forget, people fall back on common behaviors,” he writes. “Take a normal and uncommon word, like ‘lighthouse.’ Capitalize the first letter. Replace letters with similar-looking numbers. Put a symbol at the end. That might give you Lighth0us3!. This will pass all of those ‘password strength’ tests that you see when signing up for a new service. Problem is, a short word with such predictable alterations is trivial to crack. “
Microsoft is taking it a step further and is starting to ban stupid passwords. The company has created a dynamically updated banned list of the passwords it sees people using to try to break in. If you’re changing your password, and you try to use one of these words, Microsoft software will instruct you to pick a password that’s harder to guess.
While we’d all like to think that somehow, someday, everyone would have impregnable security that would prevent passwords from getting stolen, ever, that’s probably unrealistic. Instead, the best you can do is protect yourself from such a situation when—not if—it arises.
How can you do that? Aside from not using simple passwords, here are some other standard tips for good password hygiene:
- Don’t reuse passwords
- Don’t use well-known or easily guessed facts about yourself
- Change default passwords that come with your routers and other infrastructure
- Don’t write passwords down
- Use two-factor authentication when it’s available—which includes Facebook, Gmail, Twitter, LinkedIn, many banks, and Amazon, reports Kashmir Hill in Fusion—which apparently kept Iribe’s hacker from being able to read his email as well
Some researchers are going so far as to suggest that people use poems to help remember passwords. They’ve even developed a poem-password generator to help. While it might seem that actual words are easier to crack (and even the poems won’t help for sites that require special characters in the passwords), apparently it’s the combination of the words that makes the passwords more secure, the researchers write.
Beyond that, though, vendors and organizations are beginning to look at security systems beyond passwords, such as biometric systems like fingerprints and retinal scans, and perhaps even selfies. A recent study by Lawless Research, Beyond the Password: The Future of Account Security, found that 36 percent of companies foresee that they will do away with passwords in 1 to 4 years, and another 36 percent predict they will no longer use them in 5 to 9 years. In addition, 76 percent of companies said they had implemented or plan to implement behavioral biometrics, such as recognizing you by how you type: 22 percent are already using the technology and 54 percent plan to implement behavioral biometrics in 2016 or later
“In possibly just a few years, passwords will be just one part of a larger continuum of security measures that include chip-and-PIN tools on your credit card, iris scans, facial recognition, and much more,” writes Dan Seitz in Uproxx.
Simplicity 2.0 is where we examine the intricate and transitory world of technology—through a Laserfiche lens. By keeping an eye on larger trends, we aim to make software that’s relevant to modern day workers, rather than build technology for technology’s sake.
Subscribe to Simplicity 2.0 and follow us on Twitter. If what we’re saying piques your interest, head over to Laserfiche.com where you’ll see how we apply the lessons learned on Simplicity 2.0 to our own processes, products and industry.