The ultimate password genius! (Not) [VIDEO]

Filed Under: Privacy, Video

KeysIf I wasn't banging my head against a brick wall so hard, I might actually find this funny.

Consider this question.

"What's your favorite internet password?"

How would you feel if a website asked you totell it what your favorite password is?

Richard Wang, one of the threat experts in SophosLabs, pointed me towards the UPSJobs website, where you can create a profile if you're interested in investigating a career with the company.

As you can see in the video I made, it's easy to create an account - but they don't offer much help when it comes to choosing a sensible password to secure it.

(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)

The UPSJobs site actually encourages you not to use a unique password, but instead to use a password that other people might be able to guess (such as the name of your most loved pet or movie).

What really gob smacks me, however, is that they should prompt users to use their "favorite internet password"! That's hardly a safe thing to encourage.

What's your favorite internet password? [Click for a larger version]

It actually gets worse. When I first created a profile on UPSJobs, and tried to use a half-decent password (one that contained extended characters such as exclamation marks, and dollar signs), the site wouldn't accept it as my password.

Again, by refusing to accept a more complex password they were actively encouraging me to choose a simpler, easier-to-hack password.

On many occasions Naked Security has written about how to choose a strong password, but it shouldn't be forgotten that websites can do more to assist security too and help prevent innocent users from making unsafe choices.

* Image source: canonsnapper's Flickr photostream (Creative Commons)


You might like

21 Responses to The ultimate password genius! (Not) [VIDEO]

  1. ME! · 1487 days ago

    ... Sounds like the number of calls to their support department to replace lost/forgotten passwords far exceeds the number of calls to fraud prevention for hacked passwords.

  2. Terry · 1487 days ago

    So Graham, what did you do? What happened next? Did you decline to register or did you see what happens next? Or did you see this as a business opportunity?

    • If you watch the video, you'll see I created a profile (with suitably dumb password), logged out, and then tested that it really worked.

      Business opportunity? I haven't found that yet..

  3. Gary Host · 1487 days ago

    Graham, the writing gig with Sophos isn't working out and you're thinking of entering the wide world of Parcel Delivery?

  4. Robert Witham · 1487 days ago

    This takes the cake as the dumbest online account password system I have seen yet! I have been amazed at how many sites, including financial sites like banks, still won't let users include special characters in their password or use a password longer than eight characters. Online banking, which should be forcing people to use hard passwords, instead requires users to choose easy passwords.

    Thanks for spreading the word about this and other threats though. Hopefully, enough people will begin to realize the seriousness of the situation that things will begin to change.

  5. Randy · 1487 days ago

    For a business like UPS, this is shocking. but what really concerns me is the Online Brokerage firm that I use for stock trading also does not allow the use of special charactors for passwords. Not only this, but the personal questions they offer for the extra layer of security are mostly basic as well, such as the name of the high school you attended, your mothers maiden name and or the place you met your spouse, place you were born and other questions like these. The Most I could do was to choose a jumbled password (Randomly mixed letters and numbers, upper and lower case) and answer the personal questions with random charactors with the hope I dont forget my password.

    • TJF · 1487 days ago

      Amazing how many firms believe those parents'/grandparents' / maiden-name/middle-name / place of birth etc. info, provides some kind of protection when much of that info can be gleaned from millions of eternally-available online obituaries.

  6. Ymc · 1487 days ago

    It beats me why banks and Financial Inst. do not force customers to use difficult long passwords. If they forget, they can simply reset the password and charge them a fee. It's a win for the banks and bonus, they get to keep our cash longer too!! Haha.

  7. Pedro A. · 1486 days ago

    It's a common misconception to think that a password with special characters is stronger than one without. Length should be taken into account.

    A 4-character password with random letters, numbers and special characters (32 of them) is less strong than a 6-character password with random lowercase letters.

    A 15-character password with random letters, numbers and special characters is less strong than a 21-character password with random lowercase letters.

  8. netD · 1484 days ago

    I've been encouraging people to begin using pass phrases (all lowercase and a space) with a minimum of 15 characters. It would take a modern system over 17k days to crack that. Something like "thats the name of the game" or "snitches get stitches"... Why are people hung up on using crazy complex passwords that no one remembers so instead they use the same single password everywhere?

    • Robert · 1476 days ago

      Bad idea, unless you enforce a minimum of, say, 6 "significant" (i.e. not "a", "an", "it", "the" etc.) words.

      Otherwise it is very vulnerable to "pass phrase dictionary attack". Your second example, with just 3 words, would only take about (5000)^3 combinations to crack, which is much weaker than a password of 8 random characters.

  9. Adam · 1483 days ago

    "The interesting thing in the context of password strength is the prevalence of bad password choices. Take a look at these: 123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, starwars, shadow, princess, cheese.

    These 25 passwords were used a total of 13,411 times by people with Gawker accounts. The first one – 123456 – was used over two and a half thousand times alone."

    I agree with your article, Graham, but at some point password security must be taken seriously by those CHOOSING their passwords. Rules and requirements for security mean NOTHING when you can still pick a stupidly simple password.

  10. John · 1483 days ago

    What difference does it really make Graham? Favourite car or favourite word? It is all the same, isn't it?
    What I found interesting in your story, Graham< is your line that we should have a different password for each and every website. Nice work if you can do it. I don't have that many sites that need me to login, only about 25 or 40. Now, if I was to create a unique, secure password for each like dhtsyuin or spoejvbt I would have to keep the list of all sites and passwords taped securely to my monitor so that I can login when I have to. I suppose I could lock the list away in my safe, but what a chore opening up the safe everytime I want to go on the net and then remembering to put it back in before I fall asleep at the monitor.
    Ah well, I'll just go on using "password" as my password. It is easy to remember and the site actually helps jog my memory.

  11. Pete · 1482 days ago

    There is NOTHING wrong with using a weak easy to enter pass for all those crap sites that you need to sign up / login to, in fact if they force me to put in a hint i always write "General Pass" . Who cares if someone hacks into my Tucows account seriously not everything needs to be bolted shut with 27 locks and a moat.

    Naturally, i would never use the weak pass on any accounts which had any type of personal or financial information.

    • keith · 1482 days ago

      Agreed, so many site want a secure logon only becasue thay have personal information that they don;t really need to provide you with a service (except targeted advertising). On those sites I use fake personal info as well as a noddy password (thereby providing them with nothing that I fear to have lost or stolen).

  12. Windmill John · 1482 days ago

    Take BT Yahoo, they won't let you use # etc. Oh you must use eight characters, but no complexity!

  13. Joe · 1482 days ago

    UPS has always been pretty horrible with everything they do. I used to work for both UPS and Fed ex loading trucks and you would see people walk off site with packages and never be checked then never return to work. Then the rest of us would get bitched at by management because UPS is not securing their packages. Its been a good 7 years since I worked with UPS though.

    Did you check what you get access to when getting into the site. If someone where to find your password what could they really do? Mess up or copy your resume. Maybe look at a few important bits of information and attempt to find other sites you use to hack into. Personally I don't see the UPSjobs site being anything important because its not like UPS looks at it very often for hiring. Its easier to go in and fill out an application than online because then you give HR and management a look at your personality and work ethic instead of just reading something online that anyone can make up.

  14. Pedro A. · 1481 days ago

    "When I first created a profile on UPSJobs, and tried to use a half-decent password (one that contained extended characters such as exclamation marks, and dollar signs), the site wouldn't accept it as my password."

    You are mistaken. Special characteres are not needed for a good password if the password can be long enough.

    xkcd today makes exactly my point.

    Tr0ub4dor&3 (11 characteres) is much easy to guess and much difficult to remember than correcthorsebatterystaple (25 characteres), but you say that a half decent password MUST containt special characters.

    • Robert · 1476 days ago

      Same mistake as a previous poster: correcthorsebatterystaple is only 4 words, so very vulnerable to pass phrase dictionary attack. 25 characters is not secure if they are not 25 independently chosen characters.

      • Pedro A. · 1462 days ago

        correcthorsebatterystaple has 44 bits of entropy. Tr0ub4dor&3 has 28 bits of entropy.

        A pass phrase dictionary attack with 44 bits of entropy at 25 characters per entry would need 400 Terabytes of storage.

        A dictionary attack for passwords like Tr0ub4dor&3 (28 bits of entropy), at 11 characteres per word would need only 2.75 GB. The first scheme need 150,000 times more memory than the second. The number of entries in the first dictionary is 65,000 times more.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley