Not logged in » Login
Jan 31 2015

Passwords Not Impermeable, Security Experts Say


For a number of years now, Splash Data – a California-based provider of security and password management applications – has been publishing an "annual list of the 25 most common passwords found on the Internet." As may be expected, each new list casts a damning light on the state of password security. The latest edition, which was issued just a few days ago, is no exception to the rule.

According to SplashData's official announcement, it contains the most easily guessable passwords of 2013 and reveals that in an alarmingly massive number of cases, users trade security for convenience. The findings were heavily influenced by the millions of passwords revealed in that year's Adobe hack, which led to the first change in the top position since nobody-knows-when: the fairly lamentable number sequence 123456 managed to dethrone the equally dull term password. 12345678 remained in third place, whereas qwerty (#4) and abc123 (#5) swapped positions. Among the top 25, the phrases trustno1, monkey and letmein saw the sharpest decline, losing twelve, eleven and seven places, respectively. On the other hand, ten entries grabbed a top spot for the first time, among them 000000 (#25), photoshop (#15), admin (#12), and the shooting star 123456789, which went straight up to number 6.

As you would expect from people in the security and password management trade, SplashData's staffers have some comments to offer about the poor choices individuals and companies seem to make. For example, they criticize overly obvious picks such as passwords based on website or application names as well as the four- and five-digit numbers many users settle on despite a site's or service's best efforts to enforce strong password policies. But while these are in fact valid points, the experts fail to address some of the underlying structural problems of the current password regime – namely that

  • Only an absolute minority of users is skilled enough to choose strong passwords right off the bat
  • Strong password policies are often completely devalued by poorly implemented authentication, e.g. in cases where the rules say passwords must contain letters, ciphers and special characters (symbols and punctuation marks), but servers don't support the latter; and
  • Website owners increasingly try to protect 'their' content against potential unauthorized access even though it's doubtful whether that makes sense, for example if users need to register and log in to receive basic technical support

Given this critical situation, several experts have suggested a radically simplified, 'password-less' approach that combines biometrics with a portable one-time password generator, usually a USB stick, that uses asymmetric public key cryptography to create and protect passwords at the same time. These experts have formed the so-called FIDO Alliance with the aim of proposing open, platform-independent and reliable authentication standards; first specifications for a future Universal Authentication Framework (UAF) and an accompanying Universal 2nd Factor protocol (U2F) were published at the end of 2014 and are available for download here. For more background info, see Chris Merriman's piece at The Inquirer and read the interview with FIDO Executive Director Brett McDowell on DigitalMoney.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now