I vill ask you again: “Is it safe?”
Just try reading this new post at Dan Ariely’s blog at Technology Review about online password strength without thinking of Spaceballs:
I’m moderately sloppy in terms of overusage of a handful of passwords, but on the other hand, I think the ones I’ve chosen are relatively hard in terms of being just weirdo nonsense with no obvious guessability unless you plan to pull an Inception-style extraction when I nod off next to you on the train. Even my low-impact (read: impossible to forget) password is at least something fairly random. But this is pretty striking:
A major Israeli apartment-listing website was hacked and so was Pizza Hut’s local website. The credentials of over 100,000 user accounts (roughly 2% of internet users in the country) were revealed and published on dubious Turkish forums…
The most common password was 123456 (584 users), with 1234 as the runner up (569) and 12345 coming in third (388). All in all, 1786 passwords (5.65%!) were comprised of consecutive increasing numerals. This means that one person in 18 didn’t muster the cognitive capacity to generate a password more intricate than 1234 and the like. 788 people (roughly 2.5%, or one in forty people) chose a password identical to their username. 417 people (1.32%) chose a password comprised of identical digits (e.g. 1111).
Altogether, that covers nearly 9.5% of the 31,588 accounts surveyed – and I’m leaving out some of the other weak password strategies that get mentioned further into the analysis.
Alon Nir suggests this may be a case of people being in a hurry to register, who don’t care much about security when their account is new and has no real theft-worthy data but then don’t bother to update to a ‘hard’ password as their profile grows. Several commenters also point out (perhaps legitimately) that these might just be seen as ‘low value’ accounts for some users, as opposed to Gmail or Facebook, where a lot of havoc could be wreaked by poor password security.
However, I’m inclined to be far less generous, and my general impression – although not backed up by hard statistical data – is just that people are remarkably lazy and ill-informed when it comes to security, regardless of how many breathless evening news warnings we hear about identity theft and Russian hackers turning our PCs into a porn-distribution zombie army and so on. I’d also speculate that unless users are forcefully compelled by a site to enter a strong, hacker-resistant password (which they will then promptly forget), they will mostly choose the path of least resistance and stick with their luggage combination. We’ve been warned about this for years, and even as more people move online, it’s clear that remarkably little has changed.
But even geeks get lazy – one of the commenters on Ariely’s site points to his own blog, where he discusses his experiences with password security at a number of other websites. My favorite part is how the top three passwords for the website “elite-hackers.com” are, respectively, “123456”, “password” and “12345”. Wow – way to keep it 1337, guys…