Real world passwords

Bruce Schneier reports about data from a MySpace phishing attack and provides interesting data about passwords, such as

“Common Passwords: The top 20 passwords are (in order): password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey.”

I’m not surprised.

From my own experience, there are two possible schemes at work in todays real world:

  1. Strong password policies, changing too often, too complex demands (at least 8 chars, two numerals, two special characters, change every 2 weeks): People just write them down.
  2. Weak policies: people use favourite words and add increasing numbers, if necessary to comply (password01, password02, …)

This is simply not working. We urgently need to move to a system that eliminates the human element, such as SecurID or other token mechanisms.

Leave a Reply

Your email address will not be published. Required fields are marked *