Hack-Me-Now Passwords

November 22nd, 2011 by Harrumpher Leave a reply »

Seems to be time again for the semi-annual true scare about passwords. As always, the latest list of most hacked PWs shows we don’t have imagination or good sense.

At the very least, we should make hackers do a dictionary attack — running through an automated series of attempts of words in a lexicon or commonly used numbers. Instead, we seem to have some delusion of cleverness.

In the real world, of course, many of us choose PWs on a single criterion. That would be can we remember it easily?

This season’s list of the top 25 hacked ones appears in Gizmodo. It publishes SplashData‘s compilation of the top guessed PWs from millions. These are:

1. password
2. 123456
3.12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passw0rd
19. shadow
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football
  1. password
  2. 123456
  3. 12345678
  4. qwerty
  5. abc123
  6. monkey
  7. 1234567
  8. letmein
  9. trustno1
  10. dragon
  11. baseball
  12. 111111
  13. iloveyou
  14. master
  15. sunshine
  16. ashley
  17. bailey
  18. passw0rd
  19. shadow
  20. 123123
  21. 654321
  22. superman
  23. qazwsx
  24. michael
  25. football

If you recognize any of yours, change it/them. The number one takeaway here is that we are not nearly so clever as we pretend to be.

Not All That Clever

I’m good with passwords and so far have not been hacked. Yet, I have had my own experiences that made me realize the poverty of my wit and imagination. For example, years ago I wanted a private domain and generated a list of maybe 20 to be ready when I registered one. They were clearly unique, certainly not taken, and illustrative of my fine brain. Ha! Each and all were taken. I ended up grabbing an eponymous domain name, which has great utility, but serves to remind me that the world of billions is rife of people at least equally clever.

Note that the above list comprises largely obvious keyboard numeric or alpha neighbors. My given name, which is always in the top baby names list too, appears. Others are common words and concepts. Even substituting a zero character for the o in password is ordinary as dirt. Not clever!

At its extreme, PW generation is automated…and severe. My wife’s financial-biz employer hands out tiny devices that constantly generate complex PWs on their smalls screens. When you need to log into the network, you use the current one, which quickly changes. Alternately, we lesser mortals may use a pseudo-random PW-generation utility, which produces highly complex PWs on demand. These are never anything you’d likely memorize.

More sites and services have also installed rules for PWs. They won’t accept those that don’t meet these requirements. These might include at least eight characters, with at least one each upper and lower case letter, two numbers, and one or more special characters like punctuation marks.

Advanced automated hacking routine are often up to the task though. If a log-in routine does not freeze at least for awhile on three or five failed entry attempts, the hack software will pound away and may get even obscure combinations.

Even a solid PW may not be immune to manual or automated hacking. Knowing that, why make it too easy?

Most of us know now that we should not use obvious personal terms, like birthdays, street addresses, pet or relative name and such. A hacker can gather many of those frighteningly easily.

Beyond that, look over the most-hacked list. If you’ve ever used any of those or something remotely similar, take it as proof that the plug uglies out to get into your accounts won’t have to work too hard.

Share
Advertisement

Leave a Reply