Don’t Blame Users For Poor Passwords

Sean Michael Kerner

‘123456’ may be a crap password, but Sean Michael Kerner says the blame lies with the security systems that allow it, and rely on passwords in the first place

All week, friends and family have asked me if I’ve heard about the most commonly used password. The gist of the story is that “123456” is now the most commonly used weak password — surpassing the use of the word “password.”

Although that story is good for a laugh or two, the password “123456” isn’t the problem at all, in my view. In fact, I can use that password as securely or as insecurely as any other one. I know what you’re thinking, and, no, I’m not crazy. Allow me to explain.

SQL username password - Shutterstock: © hauhuWhy 123456 is not the end of the world

Today’s hackers don’t typically go to a Website or a service and manually type in passwords like “123456” until gain access; that’s just not how attacks work. The modern hacker (and pen tester on the security research side) uses automated tools that typically include dictionary-type password-cracking tools. These are tools that will hit a given Website log-in form with every word combination in a dictionary (for example, every word in the English language). So whether you choose “123456” or the word “dog” (or “syzygy”}  it’s just as easy to crack.

Going a step further, even if you have the most complex password in the world and you transmit it in the clear (that is, not protected with Secure Sockets Layer, or SSL, encryption), an attacker can easily sniff that password off the network. If your password is stored in the clear on your device or app, you have no chance because an attacker who gets access to the site, database or app can simply “read” the password.

Just having a single password to access a site, whether it’s “123456” or the most complex password imaginable, isn’t enough because it is still, in all cases, a single point of failure and weakness.

Two-factor authentication, which requires users to have a second password—typically automatically generated and sent via SMS text, which is in use on many popular sites and services today, including Gmail and Twitter, is a must-have.

Though I don’t recommend it, if your site requiare two-factor authentication, you could possibly use the password “123456” and avoid being exploited. Simply put, the attacker could still input your “123456” password, but without the second factor, they still don’t get access.

The other interesting thing about weak passwords is responsibility. I’m definitely not advocating that anyone use a weak, easily guessed password, but I’ve always believed that it is the responsibility of server and network administrators to protect users from themselves. As such, Websites and services should implement strong password policies. That means policies that simply do not allow a user to choose “123456” as their password in the first place.

My larger point is that the password should not be the lynchpin on which your life relies. There should be other layers, including encryption and two-factor authentication that must be in place.

As IT professionals, it is our responsibility to protect users and make sure that the password “123456” is not the weak link in our security.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Can you crack our security quiz!

Originally published on eWeek.