Monday, January 15, 2007

A Word in Passing on Passwords

Known for gushing forth, I'll cut to the chase on the crucial matter of passwords.

A recent study of 34,000 MySpace account passwords elucidated patterns in password construction. The good news is now we know how not to build a password.

About fifty percent of the passwords in this study have either seven or eight characters, and typically employ a pronounceable root with a suffix numeral or two. The bad news is that most roots are found in an English dictionary and the suffix is frequently no more than the numeral one.

The most common password found in the study—hold on to your seat—is password1. Yes, you read right. Other common passwords included: abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, and monkey. Aside from learning that some of our charming offspring are using an expletive for a password, we can quickly observe a pattern that hackers surely already know.

Speaking of hackers, they don't sit in front of a web browser pounding out password guesses on a keyboard while trying to crack a Hotmail account. If that were so, then even the password 123456 might not seem problematic. What they do is fashion computer programs that automatically pluck words from a digital dictionary, paste the numeral 1 on the end, then plop it in the password field of a web login page at the rate of thousands of attempts—per second (although some sites refuse any login after a series of failed attempts). This can be done while the hacker goes to lunch, letting the computer do the grunt work. When he returns with a Krispy Kreme and a Jolt Cola in hand, he has a bite and a swig of our password goodies, too.

One very real client lost a very real Hotmail account because this person used only their first name as the password. Apparently hacked by spammers, the client's account (replete with irreplaceable address book entries) was used to send spam (very common purpose) until Hotmail noticed the errant use and shut down the account for good.

She was lucky. Other hackers want juicier stuff that can result in identity theft.

The take-home lesson for today is that passwords matter, and bad passwords make for very real risks of bad people gaining access to your private online accounts.

What can you do to thwart password hijacking? Random combinations of letters and characters are outside clever hacking tools that make crafty guesses, but we don't use them because we can't remember them. A few simple steps are thought to reduce the risk of password theft while permitting us use of memorable passwords:

Forthwith is a sample password constructed on the rules above: dicti@#)onary

I hesitated to provide an example. Please, please do not use this hypothetical password—as your own password!

For the time being, we can now be slightly ahead of the clever hackers by being slightly more clever than they. For now. Alas, as in all predator-prey relationships whether biological or cybernetic, one cannot rest for long. I cannot, and do not, under any circumstances offer any guarantees of password safety.

Pass the word around.





<< Home

This page is powered by Blogger. Isn't yours?