Thursday, February 23, 2012

Passwords: You’re doing it wrong

People get their accounts “hacked” all the time. Most of the time (in my limited experience) it seems that the victims were just incredibly lax with their security or simply naive, unthinkingly giving away their passwords to phishers and other scam artists. I’ve even seen people asking for help on the YouTube forums and giving their username and password so somebody could look at their account settings for them.

Sometimes, though, people’s accounts are hacked by brute force, often by the simplest technique imaginable: guessing the password.

An insight into why this would work was unwittingly given by one of the biggest porn sites on the web, which suffered a serious breach of security exposing members’ e-mail addresses and passwords. The site itself did what they could to contain the damage, but aside from the profound embarrassment suffered by those who probably didn’t want the world to know that they enjoy watching naked people doing naughty things, there was also the issue that many people use the same password for everything, so who knows what else might be compromised?

But the most interesting and, frankly, unsettling revelations comes to us thanks to a certain Ashkan Soltani, who created a word cloud of the most frequently used passwords for that site.

Especially popular are sequences of letters and numbers, most often in the order they appear on a computer keyboard: “qwerty123”, “qwerty123456” and “asdfgh123” feature prominently. The site’s name (with and without a sequence of numbers) was another choice, as was, incredibly, “password”. Several passwords were obscenities relating to sex, also obvious passwords for a would-be hacker to try; one of those, interestingly, was in German and actually has a very specific meaning (unlike the more general terms apparently favoured by English-speakers). Female names also seem quite popular, and I’m guessing that they are names of famous porn stars (unless an inordinate number of connoiseurs of erotica happen to be married to women called Melinda and are crass enough to use that name as a password to a porn site).

What do we learn from this? Well, for one, we learn that entrusting your data to any website is always taking a risk. Most importantly, though, we learn that anyone who thinks they’re safe choosing “qwerty123” as a password on the grounds that everybody knows you shouldn’t and so nobody would suspect that you would is deluding themselves.

Use secure passwords, folks.

No comments:

Post a Comment