A couple of unsurprising tidbits on passwords

Digital Trends published an article yesterday entitled What’s the Worst Password of 2012?

Retaining the number one spot as the least secure password for yet another year, people that continue to use the phrase “password” as their personal password remain at the highest risk when it comes to hacking. Detailed in SplashData’s annual report, the three phrases ”password,” “123456,” and “12345678,” have continued to dominate the top three spots on the list.

SplashData CEO Morgan Slain said “We’re hoping that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites.”

I am not convinced that people don’t understand how risky it is to use weak passwords. There’s definitely some who don’t know, but users are pretty good at recognizing what’s a weak password and what’s not. From Stephen Cobb’s presentation at Virus Bulletin, entitled “What do Consumers Really Know About Antivirus” on page 14:


So you see, they aren’t totally clueless. Most people have had it drilled into them what’s secure and what’s not. However, as I talked about in my blog post about that presentation, there is a behavior gap from what people say they believe and what they actually do (e.g., even though people say they believe that Windows PCs are the most insecure platform, they are still the most used platform).

Thus, it is not necessarily a customer awareness issue of educating them about what is a weak password, it may be a case of getting them to not use weak passwords in spite of knowing that their password is weak.

The advice given by security experts is the typical advice that we give:

In order to create a safer password, SplashData suggests using security phrases with at least eight characters while utilizing a variety of characters within the phrase. This could include using a common phrase that’s broken up by underscores between words or substituting symbols for letters within a word. For instance, the phrase “p@$$w0r6? is more secure than typing out the word using all letters.

Splashdata also recommends using multiple passwords across different types of sites. For instance, using the same security phrase on a social network as you do when accessing your online banking could become problematic if the social network is hacked.

Even though I give out this advice from time to time, I cringe when I do. Why? Because nobody does it! Everyone I talk to engages in some sort of password re-use unless you have a password management software (but are you going to install it across multiple devices? What if you borrow someone else’s device?).

Why does no one do it? Because humans are bad at remembering long, random strings of data that we only use occasionally. In order to get good at memorizing stuff like this, we have to train our memories. Our brains aren’t naturally built this way.

Furthermore, we take shortcuts because we don’t want to reset our passwords. It’s so undesirable that 38% of us would rather clean a toilet than think up a new password:

Increased security can come at a price — way too many usernames and passwords to keep track of. If you find yourself overwhelmed by authentication overload, you’re not alone.

Some 38% of us think attempting to solve world peace would be a more manageable task than trying to deal with yet another set of login credentials, according to a recent Harris Interactive poll.

Another 38% agreed with the statement, “I would rather do house chores (e.g., my laundry, the dishes, clean the toilet) than to have to create another new user name or password.”

Why do people believe this? Because there is a serious mental cost to changing our passwords. We have to memorize a new one. So, if it’s going to be secure, we’re going to use mental heuristics to make it easier. And if we have to manage many passwords, we’re going to use even more heuristics.

What’s a quick mental short cut? Password reuse. And why would we reuse? So we don’t get locked out of our accounts. We’re used to the convenience of doing it once and having it work forever. After all, we use the same keys to get into our houses or cars for years and years. Imagine if you had to rekey your house keys every few months? Did you ever notice that your house key unlocks every room in your house (i.e., the front door is locked but the inside doors are not, other than the bathroom)?

I don’t know what the answer is to the problem of weak passwords, but giving advice that no one uses probably is in the wrong direction. On the other hand, maybe we will all, as a society, get really good at memorization. There’s ways to do it.

But we should probably look at other options, too.

Skip to main content