Why passwords are insecure

By Felix Salmon
December 14, 2010
hacked, about how embarrassingly insecure its users' passwords were.

" data-share-img="" data-share="twitter,facebook,linkedin,reddit,google" data-share-count="true">

There’s been a lot of talk over the past couple of days, since Gawker was hacked, about how embarrassingly insecure its users’ passwords were. More than 3,000 users had “123456″ as their password; almost 2,000 had “password”. There’s a long tradition of servicey journalism explaining how to generate secure yet memorable passwords, and telling those of us with insecure passwords that “what you’re doing now is going to come back to bite you”.

As someone whose password was on the Gawker list, I’ll agree it’s annoying. But I think that what’s being missed here is the element of sheer protest. All of us hate being asked to come up with passwords all the time — especially for silly things like Gawker comments. Now it’s not enough simply to have a password, it also has to be secure? Come on.

My general feeling about using insecure passwords is much like my feeling about hopping on to an unencrypted wifi network at the local coffee shop: the real safety comes from the fact that no one has the slightest interest in cracking into my Gawker commenter account or getting a preview of a blog entry I’m writing about sovereign debt negotiations.

On top of that, as Gnosis has shown, if a sophisticated computer hacker is really determined to crack into my life, then they’re likely to be able to do so. Using stronger passwords will slow them down, but it won’t stop them. The most common password in the Gawker set — 123456 — was used by just 3,000 of 1.5 million people, which is 0.2% of them. If you’re trying to guess my password, using brains rather than computer-assisted brawn, it won’t be easy, even if it’s in the dictionary somewhere. And if you’re using computer brawn to try to crack into my life, I’ve likely got bigger problems than having insecure passwords.

What’s needed here, I think, is some kind of empirical data on people who have had their passwords stolen or hacked. How often does this happen? What are the chances of it happening to me? And how much safer do people become if they move from insecure to secure passwords? Without any numbers for any of those things, it’s easy to understand why people refuse to buy into the paranoia of techies.

Comments
20 comments so far

The concern isn’t that someone could misrepresent your opinion on sovereign debt defaults, but that you may use the same password and username combination at other sites which may be sensitive.

Many people do this- it’s simply too difficult to manage different secure passwords for every place on the web you need to authenticate.

Some combination of biometrics (thumb swipe on your laptop? Facial recognition with your camera) and secure credentials with some sort of universal log-in is probably the answer here. Though one would be trading off a lower probability of a breach for significantly worse impact in case of one.

Posted by Hantu13 | Report as abusive

Ditto on the comment above. I think the biggest question is the number of people who keep unique passwords per website versus those who use 1 log on and password (or possibly a slight variation) for every website they visit. I would not be surprised if greater than 50% of the Gawker users use the same uid and password for their online banking accounts.

In my opinion, there can be no possible greater breach of sensitive personal information than a release of that information. If mine were released to the public, I’d be hard pressed to remember the hundreds (thousands?) of websites that I’ve signed up for across the internet using the same credentials. A hacker would not have to try for very long before they eventually found a website where they could log in as me and probably make my life very uncomfortable.

Posted by spectre855 | Report as abusive

I hate being asked to come up with passwords all the time — especially for silly things like comments for THIS BLOG. Is it really necessary?

Posted by david3 | Report as abusive

Ummm, isn’t the issue that the passwords were STOLEN from Gawker? So it wouldn’t matter if my password were “123456″ or some seemingly random combination of letters and numbers and symbols. My password would have been stolen in any event. The issue is Gawker (and McDonald’s, and others) who require us to give them some personal information, but who don’t put the necessary security in place to safeguard the information we entrust to them.

Posted by Snyderico | Report as abusive

To post this comment, I had to create a Reuters profile with username and password, even though it offered to log me in with my Yahoo! ID. Oh the irony.

People who use their Gawker ID (username and password) for their banking deserve what they get. Password security is relative: I can safely use the same login for Gawker that I do for comments on a million other sites, knowing the worst that can happen is someone starts commenting using my screen name. The fact that 3000 people used “123456″ on Gawker has, literally, no meaning. You can *guess* that 50% of Gawker’s passwords are used for bank accounts, but your guess is as good as guessing someone’s password.

Note also that using a “secure password” (i.e., something unguessable) is meaningless if it’s stored insecurely, as the Gawker passwords were. Even if Gawker had stored 1000 bits of data (apparently they only stored 64), if it was the cleartext of your password, it wouldn’t matter how “good” your password was. Of course, *you* don’t know how your passwords are being stored, so you have no idea whether generating a long, unguessable password is actually more secure. It’s pretty likely that your bank does a more secure job of storing your password than Gawker, of course.

But, as Felix also points out, there are usually better ways of attacking people’s accounts than by guessing individual passwords. All you need is the password of the administrator’s account. :)

Posted by creeble | Report as abusive

Felix – Good article on an otherwise-obscure subject.

A question I’d like answered is who decides, and how, whether a password is ‘weak’ or ‘strong’? My password is nine characters long, occasionally ten for an alphanumeric type, and I defy anybody – ANYBODY – to guess what my password is. Yet it is consistently described as ‘weak’. Who decided that?

Posted by Gotthardbahn | Report as abusive

I saw the Gawker news and thought it didn’t apply to me. I was surprised to get an email this morning saying I was a user, but it was only tied to this “public personna” account. Score one for pseudonymous travels on the information superhighway.

I did what I tend to do for many minor and non-critical accounts. I just hit “forgot my password” to let it reset.

Gawker are kind of butt-heads for wanting registration for comments, but we occasional visitors can just use “forgot” as the normal mode of access.

(Reuters shouldn’t require log-in either, but at least the google click is easy, and this IS only a public account.)

Posted by jpersonna | Report as abusive

Maybe to restate more on-topic, I am a propeller head and know how to make secure passwords. People like Gawker don’t get them though, they are instead kept as separate as possible from secure accounts.

Posted by jpersonna | Report as abusive

From what I understood, Gawker itself was hacked into and the email list and passwords stolen. So you could have had the most secure password in the world and it wouldnt have mattered. Surely part of the silliness is giving a serious email address. If you don’t do that then all the hackers have got is the ability to log on to Gawker and post stuff in your name.

I remember one time watching a show where the head of security for a major bank was boasting about how secure his security was, blah blah bit encryption etc and in the end a hacker was able to break in by phoning someone up, pretending to be network support, telling the user that the network was going to be upgraded to not be slow that the user needed to give the username and password then log off for 5 mins.

The CIA had one time key pads that were totally secure except for the fact that one of the contractors was selling copies of them to the KGB.

Posted by Danny_Black | Report as abusive

creeble, sorry basically just repeated what you said…

Posted by Danny_Black | Report as abusive

A computer can run through short number combinations quickly, but you change the combinations exponentially by adding letters (both upper and lower even more secure) and making longer passwords. A bank password should be longer, and separate from others you use, but as has been said, is only as secure as the systems your bank employs.

Posted by hsvkitty | Report as abusive

I use at least three different passwords, one exclusively for banking/credit card sites (where hopefully the information is stored securely). Ought to be common practice.

Posted by TFF | Report as abusive

My favorite quotation on this subject:

Encrypting transactions on the internet, for example, is as Purdue computer scientist Eugene Spafford has remarked, “the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.”

Posted by MattF | Report as abusive

It is an aphorism of computer system security that if a system has at least ten users, at least one of them is an idiot. The corollary is that no system with at least ten users on it is secure, for the reasons the other commenters have well illustrated.

Posted by dWj | Report as abusive

So it happens rarely it not worth protecting against. Agreed. Unless the protection is commensurate with risk or offers other benefits. Check out LastPass http://lastpass.com/ (I’m not affiliated with it other then being a customer).

Posted by melitele | Report as abusive

OK folks, stop whining about something relatively insignificant and save it for something meaningful, like the parasites that suck as much wealth as possible out of the economy and return nothing.

A password is required if you want to have people commenting on a regular basis (and I can see that enough want to do that), otherwise, anybody could pretend to be anybody and then effectively all comments are anonymous. If you like anonymous comments, there are lots of websites that allow it, just be prepared to waste several hours wading through them, because anonymity often yields hate and insults and generally childish behavior.

If you accept the concept of unique identities for people who comment, a password is pretty much necessary and not a big price to pay. For a site like a blog (and not a bank or amazon), it’s unlikely that anybody will go to the trouble to find your password, so go ahead and use your birthday or something the password checking software says is “weak” (that just means its easy for a computer program to guess it, although that’s unlikely to happen, as there is very little money in pretending to be somebody else when you post comments).

So enough on passwords. How about that Larry Summers? Too bad Obama hired him, at least he’s gone now.

Posted by OnTheTimes | Report as abusive

There is no excuse for random websites to ask users to enter a password. A protocol called OpenID allows people to be identified (by consent) using big-company logins (Google, Yahoo!, Facebook, etc.) without transmitting any password to the random website. Security does not have to come at the expense of convenience.

Now if only financial institutions also expressed interest in single-sign-on and worked to establish security guarantees with OpenID providers (such as requiring two-factor authentication, or login within 15 minutes). Instead, every bank is developing convoluted security measures independently.

Posted by yonran | Report as abusive

It seems that major breaches like this are becoming quite common.
What does that say about the security thinking among people operating
the compromised system, and about the security thinking among end users?

If you operate a major web site, a big security compromise like this can
kill your business. Not investing enough time, money and infrastructure
in security means putting your organization at risk of major harm, because
of bad press, lost end users, lost advertisers, etc. This is a big deal.

If you are a user whose password has been compromised, I guess it depends
on how many other systems you sign into with the same ID/password and
whether you care about compromise of any/every account that uses the
same credentials. At a minimum, once you learn about a compromise like
this, you should change your “standard, used for systems I don’t care
much about” password everywhere.

In either case, you can learn about effective password management
practices: for organizations (http://bit.ly/dPhpkx) and for end users (http://bit.ly/fewec9)

- Idan Shoham, CTO, Hitachi ID Systems

Posted by Idan_Shoham | Report as abusive

Felix, there were a couple different issues here.
1. Gawker didn’t encrypt the passwords with proper encryption technology, and didn’t apply security patches to their computers for three years, and dared hackers to try to get in.
2. Lots of people use the same password everywhere. So when a site like Gawker gets compromised, those people had their Facebook, Twitter, email, and banking accounts compromised too.
3. If people use crappy passwords on sites like Gawker (or Reuters) and strong passwords elsewhere there is probably no problem. But I have seen internal analysis of passwords at e-commerce sites and the most common passwords looked the same as the Gawker list.

While we are discussing computer security, you once mentioned how annoying it is that centralized IT departments don’t let people use Firefox. The reason for that is that there is no good way to centrally manage security patches for Firefox and users can’t do it themselves without admin rights. Firefox is great for home, but when 100s of people are on the same network using shared resources you can’t afford for one user to gum up the works for everyone else.

Posted by JonHocut | Report as abusive

If this were such a really big deal, web sites would refuse to accept passwords that were too weak. If you tried to use 123456 as a password, it would be rejected.
Of course, if we made the web site financially accountable for the security of its passwords, that might happen.

Posted by RZ0 | Report as abusive
Post Your Comment

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/