Pass the password

In case you missed it, many passwords are not safe. Not just a little bit. It is a hacker’s paradise out there.

Recent headlines made the point ever so clear. The most popular password in America turns out to be “123456”. Might as well leave the keys to the automobile in the driver-side door, where a thief can easily find it. That is the sort of favor many users are doing for hackers.

This is what passes for news in the Internet today. If you read between the lines, very little about this fact is news. That is worth a comment or two.

More to the point, computer scientists like to observe that the Internet has scaled well. That is not exactly right, and they know it. The technology scaled well at the level of transport infrastructure, but not at the access layer, where most of the passwords are. Internet access is an example of a technology in which the very characteristics that make it popular at small scales are precisely those that make it ill suited to large scale use.

This will take some explaining.

What is new here?

There actually was some news in the news about passwords, but that requires a bit of detail to appreciate. First let’s review.

A company, RockYou, makes software for handling passwords on many web sites, including Facebook, MySpace and other social networking sites. For a brief moment a list of its passwords became posted on the web. That list contained 32 million passwords.

The size and authenticity of the database are what make the news so notable. This list came from actual users, providing a massive window on what passwords actually get used.

As it turned out, many people simply do not think about their password very much before choosing it. More precisely, many people thoughtlessly think about their passwords in exactly the same unoriginal way. They pick the same simple phrase.

While that might not be problematic in many other facets of life, this is precisely a setting where originality and uniqueness have considerable value. Uh-oh.

The New York Times got wind of the story and their headline said “Just make it Hackme.” The story made the rounds online. The hook mixed elitist and alarmist tones to make its points, namely, that some users are so dumb in their password choices that they endanger themselves, as well as every other user with whom they share a network.

Whether or not you agree with the tone, the details are salacious, which is what every good news story needs. This one had many of them, namely, facts that even a non-technical person could grasp.

As one of my favorite comic writers, Dave Barry, would say, I am not making any of this stuff up.

For example, six of the ten most popular passwords employ easily hacked number sequences. These are “123456”, “12345”, “123456789”, “1234567”, “12345678”, and “abc123”.

Yes, you read correctly. Even my wife, who lacks much interest in technical topics, heard that one, and got the point. If six of the ten most popular passwords are this easy, then even a mediocre hacker can get into some accounts simply by trying enough of them and using popular simple passwords.

Reading the rest of the list does not help assure me any further. For the record, the other four passwords for rounding out the top ten are not much better. These are “password”, “iloveyou”, “princess” and “rockyou”. (Only the last one seems a bit inexplicable. However, recall that the company who compiles these lists is “RockYou”, so that last one might just come from administrators for the firm.) Yes, you read correctly. A lot of people use the phrase “password” as their password.

Among the top thirty, my favorite ones include “654321”, “qwerty”, “iloveu”, “111111”, “0”, and “password1”. Those fit right in with the theme of “Go ahead and hack me.”

The word “Princess” hints at one other popular source of passwords. Quite a lot of people choose popular names as their passwords, and I would guess they choose that name with some affection.

The top third list of popular passwords contains plenty from the top ten lists for popular baby names, including “Nichole”, “Daniel”, “Jessica”, “Michael”, “Ashley”, “Michelle”, and “Anthony”, not to mention “babygirl”, “monkey”, “lovely”, “sunshine” and “angel”.  (All at once, let’s say “Oh, how nice.”)

Look, I love my kids too, and I respect/admire anyone else who does. But I just have to say it: THERE ARE MORE CLEVER WAYS TO USE A CHILD’S NAME AS A PASSWORD.  What is wrong with backwards, initials, and — maybe — combinations of names and birthdays, middle names, and so on?

All in all, about 5000 words account for six and a half million (20%) of the 32 million passwords. Get the point? That is a lot of similarity for something that aspires to be unique and hard to guess.

About the only inexplicable password in the top thirty is “Tigger.” Why does the most popular character from Winnie-the-Pooh make this list? I dunno’. Perhaps someone out there has a good idea.

Interpreting it all.

Having said all that, one additional fact helps interpret all this. It is this: none of this is new human behavior. More than two decades ago network administrators who lived in the era of the six-character passwords noticed the same phenomenon. In that era the most popular password was – you guessed it – “12345.” And so on.

In other words, easy-to-guess and non-unique passwords are nothing new. The only news is the scale. With two decades of experience, the Internet is bigger and the same stuff shows up.

There is, however, one key difference. Today it is terrifying.

The Internet worked wonderfully when it was confined to a small community, as it was when it first was invented.In those days there were administrators everywhere standing between users and networks, keeping tabs on security and other funny business.

Today, however, the network does not touch a small community. While the freedom of today’s Internet is great, that comes with some risk. Anybody can get online, including some rather nefarious people with unsavory motives.

More to the point, one network does not exist independently of all others. It is not much of an exaggeration to say the following: All users are linked to each other through a myriad of programs we share, whether it is social networking, g-mail, texting, and restaurant reviews, not to mention many others.

To be sure, not all is lost. For some set of activities one person’s security is independent of every other. In that setting choosing a poor password has Darwinian consequences, but not much else. In other words, those with the worse passwords get hacked, leaving others to survive.

Alas, that is not the only situation. In the world today smart hackers do not merely steal credit cards by asking. They gain access to somebody’s computer, phish on another, leave a program to collect information on another, deposit malware on another, leave a virus on another, find mailing lists on another, and make it very difficult to find the source of all the problems. In this interdependent world the lack of security on one computer can change the experience of others.

Disease specialists have a name for this type of situation: The average user is irrelevant to the overall experience. Rather, the probability of the emergence of a new virus is defined by the worse situation in which such a virus can emerge. In other words, it does not matter if half the world is developed, the viruses will emerge from the poorer parts of the globe, Mexico, Thailand, China, India, Sub-Saharan Africa.

Similarly, the security of the network does not depend on the 80% of the users who find unique passwords. Rather, it remains vulnerable to those who choose characters from Winner-the-Pooh and kindergarten counting schemes.

One other difference. While these types of vulnerabilities have always existed in networks, there were forces limiting their impact. Sure, they existed at universities. When universities went online it made them vulnerable to a smart kid hacking his way into the system to change his grades. This risk was so archtypical that Hollywood even wrote such a scene into the movie, Ferris Bueller’s Day off (OK, that was a high school, not a university, but you get the point).

But in the greater scheme of things hacking grades are small potatoes. Outrageous, to be sure, but minor in comparison to the damage from stealing millions of credit cards. The latter destroys the essential foundations of commerce.

Anybody who thinks this is a good scaling of the old technology is not paying attention. Indeed, the right question is: why the hell are we still using password technology at all?

There are alternatives, of course, but they are expensive and inconvenient. My university requires all its network users to change their passwords at regular intervals, for example, and, in addition, it requires all passwords to use both letters and numbers and symbols.

Frankly, it is a pain in the neck, and someday I will exhaust all the potential combinations of my children’s middle names spelled backwards combined with their birthdays, but, for better or worse, we all do something. It works.

But such solutions do not scale particularly well to mass market applications. Firms do not want to force such technology on their users, for fear of losing them altogether.  That is how it will be until the era of the eye scanner or finger-print reader or face-recognition utility comes along.

I am terrified, but what else are we going to do? Stop using the Internet? *sigh* That would be like staying off the highways just because others drive badly.

Does anybody see a good solution out there? I sure do not.