The annual list of bad passwords was released last week. The list for 2015 looks a lot like the list for the previous years. Still, these are always good for a bewildered chuckle.
Password is still an unfortunately popular password. So is 123456 and the longer 12345678. Sequential key combinations still rank very highly, although they shouldn’t. We’re looking at you QWERTY users. Then there are the pop culture references that people probably think are unique but actually aren’t. This year’s examples: solo and starwars.
But before we poke our fun and put the list aside, it’s worth asking if one of these passwords — or one that’s equally weak — is all that’s separating your network from a significant data breach.
Don’t be so quick with a confident no. While the passwords used by your employees may not make this list, chances are they aren’t as strong as you think. That’s because we’ve spent years teaching people the wrong way to create strong passwords. We tell them that they need to be using letters, numbers, special characters and all in different combinations. And while that makes for a password that’s definitely hard to remember, it doesn’t create a password that is much stronger than those on the list.
Essentially, even those “stronger” passwords aren’t that strong when put up against rainbow tables and sophisticated brute force hacking techniques. This classic cartoon from XKCD does a better job of explaining it than we can:
With so many systems and web sites that require passwords, it’s difficult to mandate what passwords people use, but it’s still important to know what makes a good password and then training your people to use them.
While fancy hacking, DDoS, and malware may get all the headlines, the majority of breaches still come down to someone stealing (or guessing, or brute forcing) a user’s legitimate credentials. That’s why even though passwords are “boring”, they are still a really, really big deal.