Troy Hunt, a Microsoft MVP, has done some terrific analysis of the passwords people use. Unfortunately, what has made this possible is the recent trend in hacktivism whereby it is common for hackivists to post the spoils of their attacks online to generate publicity and shame the company being attacked. While this has been bad news for the companies and their customers, it has provided a rich data set for researchers to analyze. The results from Troy’s research are pretty interesting. Rather than rehash the results here, I’ll let you read them yourself: www.troyhunt.com/2011/06/brief-sony-password-analysis.html
What struck me while reading the blog is how much we know about what kind of passwords people create and how little we’ve been able to make practical use of any of this knowledge. Sure we all run off and write blogs about how people need to make their passwords harder to crack. I don’t want to insult anyone’s blogging skills, but so far this hasn’t produced a lot of progress.
I think there is a way we can drive benefit, and better security, from this data. And the responsibility to do that falls back to those of us responsible for creating security solutions. Where it should be.
Here’s the situation: websites all seem to have rules about what characters to use for a password. They have rules about the length of the password. And they enforce those rules. I can’t create a password for the site if I don’t follow the rules. Although these sites ought to make sure these rules are aligned to best practices of length and character usage, this isn't always the case. But that’s not where I see the biggest opportunity. I'm sure they keep the password length low to help prevent forgotten passwords or to keep from just annoying users, so I'll save discussion of those practices for another day.
Here is an easy to implement solution to forcing users to create better passwords: since the account creation program is checking my password for the wrong number of characters and the right mix of numbers and letters, why can’t it check for the use of passwords that hackers have in their database of common passwords?
Here is the list of the top 25 most used passwords from Troy’s research: seinfeld, password, winner, 123456, purple, sweeps, contest,princess, maggie, 9452, peanut, shadow, ginger, michael, buster, sunshine, tigger, cookie, george, summer, taylor, bosco, abc123, ashley, bailey.
I went to a couple of websites and set up new accounts. I created one account using purple (the fifth one in the list above) as a password. The site told me it was a weak password, but let me use it anyway. At another site, it would not allow purple, not because it was a common password, but because it was too short. So back I went to Troy Hunt’s blog. He listed a couple of passwords found in password dictionaries. They were “1qazZAQ!" and “dallascowboys.” I tried those. I was again told it I was using weak passwords, but because they met length rules the site didn’t prevent me from using either one.
Here’s my proposal. These password dictionaries are not hard to get. Why don’t websites add these as a check, and not allow their customers to use common passwords. Sure, a few Dallas Cowboys fans might not be happy, but they have bigger problems with the team’s recent on-field performance. Don’t think of it as annoying or limiting customers. Think about it as educating them. Oh yeah, and you’ll be protecting them, too.