All week, friends and family have asked me if I’ve heard about the most commonly used password. The gist of the story is that “123456” is now the most commonly used weak password — surpassing the use of the word “password.”
Although that story is good for a laugh or two, the password “123456” isn’t the problem at all, in my view. In fact, I can use that password as securely or as insecurely as any other one. I know what you’re thinking, and, no, I’m not crazy. Allow me to explain.
Today’s hackers don’t typically go to a Website or a service and manually type in passwords like “123456” until gain access; that’s just not how attacks work. The modern hacker (and pen tester on the security research side) uses automated tools that typically include dictionary-type password-cracking tools. These are tools that will hit a given Website log-in form with every word combination in a dictionary (for example, every word in the English language). So whether you choose “123456” or the word “dog” (or “syzygy”} it’s just as easy to crack.
Going a step further, even if you have the most complex password in the world and you transmit it in the clear (that is, not protected with Secure Sockets Layer, or SSL, encryption), an attacker can easily sniff that password off the network. If your password is stored in the clear on your device or app, you have no chance because an attacker who gets access to the site, database or app can simply “read” the password.
Just having a single password to access a site, whether it’s “123456” or the most complex password imaginable, isn’t enough because it is still, in all cases, a single point of failure and weakness.
Two-factor authentication, which requires users to have a second password—typically automatically generated and sent via SMS text, which is in use on many popular sites and services today, including Gmail and Twitter, is a must-have.
Though I don’t recommend it, if your site requiare two-factor authentication, you could possibly use the password “123456” and avoid being exploited. Simply put, the attacker could still input your “123456” password, but without the second factor, they still don’t get access.
The other interesting thing about weak passwords is responsibility. I’m definitely not advocating that anyone use a weak, easily guessed password, but I’ve always believed that it is the responsibility of server and network administrators to protect users from themselves. As such, Websites and services should implement strong password policies. That means policies that simply do not allow a user to choose “123456” as their password in the first place.
My larger point is that the password should not be the lynchpin on which your life relies. There should be other layers, including encryption and two-factor authentication that must be in place.
As IT professionals, it is our responsibility to protect users and make sure that the password “123456” is not the weak link in our security.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Can you crack our security quiz!
Originally published on eWeek.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Love your point on how websites and services should be more active in discouraging such weak passwords. I use the strongest/longest password I can for each site, plus two-factor in many cases - though it is impossible to remember without using a password manager. (I use PasswordBox - LOVE it.)