Tag Archives: howsecureismypassword
Better change your passwords
Seriously. I’m not just telling you this because it’s World Password Day (it is, though, and I don’t know what Betty White has to do with anything). I’m saying it because it has come out that a security pro at Hold Security discovered an absolutely massive theft of usernames and passwords from Russia’s largest email provider, mail.ru, about 275 million stolen records. Not only that, there was a significant amount of credentials stolen from Gmail, Hotmail, and Yahoo account holders as well. Incidentally, many reports are saying ‘Microsoft’ instead of ‘Hotmail,’ which is a Microsoft property, but they also have Outlook which hasn’t, as far as I can figure out, been hit.
Most surprising of all, even more than the fact this is one of the largest theft of electronic records in history, is that the teenage hacker who acquired them was willing to sell the whole multi-hundreds-of-millions record lot for the grand sum of $1. But wait, there’s more! The hacker was discovered via his bragging of the theft in an online hacking forum, and when the Hold Security employee who engaged offered to leave positive feedback for the hacker, the price was dropped to free. That’s right, free for the mere quid pro quo of a positive review.
Off topic, but that touches on the concept of what is known as the reputation economy, in which someone’s actual worth depends on what others say about them in public and think about them in private. You can read more about it here.
It’s no secret people use bad passwords all the time, and reuse them over and over for multiple functions and sites. Don’t do that! Use a passphrase – in class just today, my students suggested ‘sheturnedmeintoanewt,’ a line from Monty Python and the Holy Grail, which turns out to be a perfect passphrase. It’s long, complex, yet easy to remember. Plus, it would take 16 BILLION years to crack! How do I know? Because we plugged it into howsecureismypassword.net, and that was its estimate. Even if it’s off by a billion years or so, that’s still pretty good. If we capitalize just one letter, the ‘n’ in newt, it jumps up to 17 quadrillion years. This isn’t the be-all end-all for accurately determining password strength, but it’s a good estimator.
If you’d like to use a different password for each site or service, but are worried about keeping track of them all, you can use a password manager like KeyPass to manage them all. Some password managers even enter the passwords for you. I don’t know how I feel about that personally, but it is easier. Beware, password managers often have a master password and if you lose or forget that, you are screwed – you’ll be resetting passwords forever.
Everyone knows I hate passwords and especially the policies that go along with them, and I hope the scourge of passwords is one we can raze from this earth in the very near future, replaced with something more robust – but not 100% foolproof – like biometrics (fingerprint scanners, for example). Until then, just remember: It’s only a flesh wound.
I don’t know why I bother
SplashData has, as they are wont to annually do, released their list of the worst passwords of 2015. Definitely look at the link, there’s lot of additional information there regarding how dumb we are when it comes to this. Want to take a guess which terrible password takes the top spot? That’s right, 123456. Anyone suprised? Anyone? No? Frankly, if that’s your password, you deserve whatever happens. Not to be all alone, other number-based passwords made the list as well, including 12345678 and 123456789. Other idiotic passwords include qwertyuiop, login, and passw0rd. That last one is especially offensive, as though the person thinks they are pulling a fast one by having a zero instead of an o. They’re in for an unpleasant surprise.
I used a different header image than I originally had intended, one that showed the bad passwords from 2014. They’re generally the same as last year, but I ended up not going with it because it was redundant considering the list below, but the original version of this post still referenced it. So I made a fun edit, and instead I found the Facebook post used in the header which – although I sincerely hope it’s fake – really very much hope that it is fake – shows how gullible people can be. If it’s real, I wouldn’t at all be surprised. Now hold on while I allow a Nigerian prince access to my bank account.
There are some passwords on the list that are less offensive, as though the person tried, including dragon and starwars, but geez oh man, at least throw a capital letter or exclamation point or something in there, even the passw0rd people up above did that. If you really need to make a strong password, remember a sequence of at least four random words is the best alternative, and hopefully one day passwords will go the way of the dinosaurs and disco (although I do love disco), and we can switch to things like biometrics full time. Here’s the full list, pasted from Cnet:
1 – 123456 (unchanged from 2014)
2 – password (unchanged)
3 – 12345678 (up 1)
4 – qwerty (up 1)
5 – 12345 (down 2)
6 – 123456789 (unchanged)
7 – football (up 3)
8 – 1234 (down 1)
9 – 1234567 (up 2)
10 – baseball (down 2)
11 – welcome (new)
12 – 1234567890 (new)
13 – abc123 (up 1)
14 – 111111 (up 1)
15 – 1qaz2wsx (new)
16 – dragon (down 7)
17 – master (up 2)
18 – monkey (down 6)
19 – letmein (down 6)
20 – login (new)
21 – princess (new)
22 – qwertyuiop (new)
23 – solo (new)
24 – passw0rd (new)
25 – starwars (new)
Incidentally, if you think you have a pretty robust password, and want to test if you really have the goods, you can go to howsecureismypassword.net and see. The site is legitimate, I promise, it’s not stealing your credentials or anything like that, and it will show you how strong your password really is. Here’s mine – I’ve got the process down.