We’re not just bad at learning long-term lessons, but also at picking up on simple things we’re doing badly and starting to do them better.
That would seem to be the main conclusion to be drawn from looking at the passwords we use to authenticate ourselves online.
Despite great efforts to persuade us otherwise, we still choose bad ones, simple ones, obvious ones, and we reuse them in other places. Sites we use get hacked, our passwords are stolen and used to abuse our accounts, and, if we’ve been reusing, not just those at the hacked site.
They are later posted online so we can read entertaining stories of the “Aren’t these passwords just comically bad” variety.
Bad passwords bad?
The latest is an annual “Worst Password” list from password management firm SplashData (other password managers are available).
For the average jaded security watcher, it holds few surprises – the top ten is dominated by old favourites like “password”, “qwerty”, “abc123” and strings of sequential numbers of various lengths.
The shocking headline is that “password” has been toppled from the top spot, overtaken by “123456”. A slightly heartwarming extra – “iloveyou” also makes the top ten.
The company’s press release points out twice that the list is “influenced” by the huge haul of data snaffled in the Adobe breach, and rendered simple to decipher thanks to some sloppy encryption practices.
There’s probably been some impact from the many other large and easily-absorbed data leaks of the last year too.
Using this sort of data as a measure of our password selection practices may be a little unfair though. It has been argued that the Adobe site is, for many users, considered a “low risk” site which doesn’t need to be protected by a strong password.
If you’re forced to create an account on a site which you’re just visiting to download some free software, say, or to read some news, or to comment gushingly on someone’s blog post, you’re probably not going to worry about that account being taken over by a hacker.
At least, not as much as you would about your online banking login, or your personal email. Right?
Bad passwords OK?
So, why not use a low-grade password? I admit it’s something I’ve done myself, many times.
A one-off account at a site you have no plans to revisit, using a throwaway email address, why bother with a strong password?
Maybe a lot of the obvious choices on the Adobe database, which has so heavily influenced our idea of the world’s password habits, are down to similar down-grading of sites we don’t consider important.
Maybe people generally are more careful and sensible, just not when visiting Adobe.
OK, so it’s a little worrying that things like “photoshop” and “macromedia” also feature fairly high up on the Adobe list, which seems to hint that at least some of the people on there are actual proper customers of Adobe, giving them money for their software and so presumably having provided things like billing addresses and banking info.
There’s also been evidence of people reusing their favourite weak passwords elsewhere, on sites they’re likely to care more about, and being forced to try harder.
But many may well just be casual visitors choosing casual passwords.
Bad passwords “better than nothing”?
Is that a bad thing? Not according to the UK’s “cyber-security chief”, Get Safe Online head Tony Neate, quoted in The Guardian arguing that a bad password is better than none.
This may make sense in some settings – mobiles, for example, can be left open for anyone to pick up and play with, or can be secured with a screenlock.
Online though, there’s rarely a “no password” option. And so, as biometrics have yet to emerge from the shadows and save us all from passwords forever, we still have to pick one, even for those piddling little sites we never plan to visit again.
Categorising the internet
Of course, there’s a problem with using good passwords for important accounts and sloppy ones for trivial sites. The internet isn’t divided into “important” and “trivial”.
There’s no icon in our browser address bar telling us we’re on a trivial site and can be as careless as we like.
It’s more of a continuum, ranging from highly sensitive to hardly sensitive at all, and which site fits where on that line will vary from person to person, maybe even from moment to moment as our usage patterns change.
So before we decide that an account is not worth securing, we have to think carefully about the implications. Can we be absolutely sure that there’s nothing inside this account that could be valuable? No information that could be gleaned about us that could be made use of? No way it can be linked up to other accounts and used to access them?
It’s unlikely that many of us do go through this process every time, and even those who do must make some mistakes or take some shortcuts somewhere.
So the best option, and also the easiest, is not to bother trying to categorize our accounts.
Tools are your friend
Use a password manager to generate a decent password for any account you set up. If you’re not using one already, spend an hour finding the right one for you and getting used to how it works.
If you never use that account again, never mind. If you do come back, yay, you can get straight in without having to rack your brain.
If the plugin works nicely, you may not even have to do any typing.
And if you don’t trust it with your most sensitive and precious accounts, you can keep them out of it, and stick with your own (carefully chosen, never reused) passwords for those.
For everything else, wherever it sits on your personal importance ranking system, a decent manager will do a better job than you of creating and remembering reasonably secure passwords, saving you the effort of deciding how important things are.
And if you really are setting up a single-use, throwaway account, on a strange machine you’re wary of, and you’re sure you don’t mind if it gets hacked, then go ahead and use 123456, or iloveyou if you’re that way inclined.
Just remember, it’s likely to contribute to a “world’s worst” list one day.