This year’s worst passwords are out, and oh my, you silly primates still don’t quite get this “information security” concept, do you?
Anyway, here’s the backstory: every year, a company called Splashdata goes through a list of leaked passwords. These are basically hacker booty–long lists of plain-text excel spreadsheets full of personally identifying data, posted in public on sites like PasteBin. Splashdata gathers all of these together, does a simple sort on the resulting database, and finds the passwords that crop up the most often.
The full list is here, but as per the title of this article, the most commonly used password from 2015 was 123456. You lazy bastards.
Why is it so bad to use a password that everyone else uses? Well, that’s because of the nature of computer security. It’s easy to make an algorithm that will encrypt a password such a way that it can’t be decrypted. This is called a “hash.” Thus, the password ‘123456,’ becomes something that looks like ‘453A2E-09Ib74.’ Because a hash is one-way, you can’t start from ‘453A2E-09Ib74,’ and turn that back into the dumb password that you started with.
Most websites (if they aren’t run by idiots) don’t ever actually store your password. They just store the hash, that one one-way encrypted text. When you put your password into a login field, the website’s server only stores that password long enough to hash your input, and check it against the stored hash on its hard drive. If both hashes match, then you’re in.
This is fairly secure. The real problem, however, is that with a hashing algorithm, the same input will always get you the same output. E.g. ‘123456,’ will always get hashed into ‘453A2E-09Ib74.’ The other problem is that while you can’t get a password out of a hash, you can figure out which kind of algorithm is in use.
Imagine I’m a hacker. I know that a bunch of people on any given site will be using a dumb password like 123456. I also know the hashing algorithm that a site is using. If I get a list of their encrypted logins, I can just hash a list of dumb passwords, check those hashes against the list, and pwn a whole lot of people. This, by the way, is called a pre-computed dictionary attack, and it is also why it’s very important to choose a unique login.
Your eyes probably glazed over the tenth time I used the word “hash,” but there’s one more thing I want to mention: We shouldn’t laugh at the poor bastards who chose ‘123456’ as their password. Look back up at the beginning of the article–all of the passwords collected by Splashdata were IN PLAIN TEXT. That means that the companies storing them didn’t even take the slightest bit of care in storing them. Their users could have picked ‘123456,’ or ‘b00bs!’ or an artisanal diceware password created by a small child, and it wouldn’t have mattered one iota. The fact of the matter is, you could choose the dumbest password imaginable, but the company storing it still has the responsibility to keep it safe.
[Post image via Shutterstock]