Categories: SecurityWorkspace

Don’t Blame Users For Poor Passwords

All week, friends and family have asked me if I’ve heard about the most commonly used password. The gist of the story is that “123456” is now the most commonly used weak password — surpassing the use of the word “password.”

Although that story is good for a laugh or two, the password “123456” isn’t the problem at all, in my view. In fact, I can use that password as securely or as insecurely as any other one. I know what you’re thinking, and, no, I’m not crazy. Allow me to explain.

Why 123456 is not the end of the world

Today’s hackers don’t typically go to a Website or a service and manually type in passwords like “123456” until gain access; that’s just not how attacks work. The modern hacker (and pen tester on the security research side) uses automated tools that typically include dictionary-type password-cracking tools. These are tools that will hit a given Website log-in form with every word combination in a dictionary (for example, every word in the English language). So whether you choose “123456” or the word “dog” (or “syzygy”}  it’s just as easy to crack.

Going a step further, even if you have the most complex password in the world and you transmit it in the clear (that is, not protected with Secure Sockets Layer, or SSL, encryption), an attacker can easily sniff that password off the network. If your password is stored in the clear on your device or app, you have no chance because an attacker who gets access to the site, database or app can simply “read” the password.

Just having a single password to access a site, whether it’s “123456” or the most complex password imaginable, isn’t enough because it is still, in all cases, a single point of failure and weakness.

Two-factor authentication, which requires users to have a second password—typically automatically generated and sent via SMS text, which is in use on many popular sites and services today, including Gmail and Twitter, is a must-have.

Though I don’t recommend it, if your site requiare two-factor authentication, you could possibly use the password “123456” and avoid being exploited. Simply put, the attacker could still input your “123456” password, but without the second factor, they still don’t get access.

The other interesting thing about weak passwords is responsibility. I’m definitely not advocating that anyone use a weak, easily guessed password, but I’ve always believed that it is the responsibility of server and network administrators to protect users from themselves. As such, Websites and services should implement strong password policies. That means policies that simply do not allow a user to choose “123456” as their password in the first place.

My larger point is that the password should not be the lynchpin on which your life relies. There should be other layers, including encryption and two-factor authentication that must be in place.

As IT professionals, it is our responsibility to protect users and make sure that the password “123456” is not the weak link in our security.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Can you crack our security quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

View Comments

  • Love your point on how websites and services should be more active in discouraging such weak passwords. I use the strongest/longest password I can for each site, plus two-factor in many cases - though it is impossible to remember without using a password manager. (I use PasswordBox - LOVE it.)

Recent Posts

Online Safety Bill Tweak To Combat Russian Misinformation

Foreign interference and misinformation to be designated a priority offence under Online Safety Bill, the…

14 mins ago

Intel ‘Playing Politics’ Over Delayed Ohio Chip Factory, Alleges Governor

Ohio Governor Mike DeWine alleges Intel's Ohio factory delay is a negotiating tactic, despite Pat…

3 hours ago

Steve Jobs Posthumously Awarded US Medal Of Freedom

President Joe Biden has named Apple co-founder and former CEO Steve Job, as a posthumous…

4 hours ago

Twitter Seeks Judicial Review Of Indian Takedown Order

Clash continues, Twitter court challenge against Indian government order to remove certain content it deems…

5 hours ago

TikTok ‘Halts E-Commerce Expansion Plans’

TikTok reportedly scraps plans to expand TikTok Shop livestream commerce in Europe and US after…

1 day ago

European Parliament Passes Landmark Tech Regulations

European Parliament votes to adopt Digital Markets Act and Digital Services Act, but campaigners warn…

1 day ago