Are you still using “password” to protect access to your vital administration systems? Of course not but, according to software security company SplashData, it’s still at #1 in the dumb password chart. Here’s the “top” 25 compiled from lists of stolen passwords posted online:
- password
- 123456
- 12345678
- qwerty
- abc123
- monkey
- 1234567
- letmein
- trustno1
- dragon
- baseball
- 111111
- iloveyou
- master
- sunshine
- ashley
- bailey
- passw0rd
- shadow
- 123123
- 654321
- superman
- qazwsx
- michael
- football
If your password’s on this list, perhaps it’s time to reconsider your security.
But, before we start sneering at user stupidity, are we partly to blame? Nearly every web application we create requires a password and they contribute to the problem. Despite the rise of OAuth and similar solutions, even infrequent web users probably require a dozen passwords for different sites. It doesn’t matter how much advice or education we give: people will always choose the easy option and select a simple password they can remember.
Overly-Complex Password Policies
Some systems attempt to solve the bad password problem by implementing certain lengths, requiring at least one number and making users change their password every few days. The worst examples limit the number of characters and don’t permit unusual characters such as punctuation. Effectively, they’re handing hackers a password “template” … and they rarely prevent people choosing “password01”, “password02”, etc.
Passive Security Education
With the possible exception of minimum-length passwords for financial and government services, users should generally be permitted to enter what they like. Good systems will encrypt passwords so there’s no reason to limit the string length or the characters which can be entered.
Red-amber-green indicators for weak passwords are generally good, although it’s fairly abstract and I’ve seen many users ignore the warning. Perhaps a more informative alternative could highlight the consequences of a poor password, e.g.
A hacker could access your account in 3 seconds.
Unfortunately, passwords remain our best option for web security. Unless someone knows of a better fool-proof alternative?
Craig BucklerCraig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.
