Why passwords are insecure
There’s been a lot of talk over the past couple of days, since Gawker was hacked, about how embarrassingly insecure its users’ passwords were. More than 3,000 users had “123456″ as their password; almost 2,000 had “password”. There’s a long tradition of servicey journalism explaining how to generate secure yet memorable passwords, and telling those of us with insecure passwords that “what you’re doing now is going to come back to bite you”.
As someone whose password was on the Gawker list, I’ll agree it’s annoying. But I think that what’s being missed here is the element of sheer protest. All of us hate being asked to come up with passwords all the time — especially for silly things like Gawker comments. Now it’s not enough simply to have a password, it also has to be secure? Come on.
My general feeling about using insecure passwords is much like my feeling about hopping on to an unencrypted wifi network at the local coffee shop: the real safety comes from the fact that no one has the slightest interest in cracking into my Gawker commenter account or getting a preview of a blog entry I’m writing about sovereign debt negotiations.
On top of that, as Gnosis has shown, if a sophisticated computer hacker is really determined to crack into my life, then they’re likely to be able to do so. Using stronger passwords will slow them down, but it won’t stop them. The most common password in the Gawker set — 123456 — was used by just 3,000 of 1.5 million people, which is 0.2% of them. If you’re trying to guess my password, using brains rather than computer-assisted brawn, it won’t be easy, even if it’s in the dictionary somewhere. And if you’re using computer brawn to try to crack into my life, I’ve likely got bigger problems than having insecure passwords.
What’s needed here, I think, is some kind of empirical data on people who have had their passwords stolen or hacked. How often does this happen? What are the chances of it happening to me? And how much safer do people become if they move from insecure to secure passwords? Without any numbers for any of those things, it’s easy to understand why people refuse to buy into the paranoia of techies.