I love the scene in the movie “Spaceballs” where the password to a peaceful planet’s defense network is revealed to be “12345.” Oddly enough, that’s also the combination to the rival planet’s president’s luggage.
What is our responsibility to protect our employees or customers from using stupid, easy-to-guess passwords? One could argue that it’s the end user’s responsibility to pick a strong password that can’t be broken in nanoseconds via a dictionary attack, or which can’t be guessed with only a little bit of knowledge about the account holder’s family, pets or alma mater.
We ask customers to set up “accounts” all the time—on e-commerce sites, on banking sites, on media sites (like sdtimes.com), on social media sites, on tech-support forums. Sometimes the user is allowed to pick a login name, and sometimes it’s the e-mail address. I won’t wade into that debate. But what about the password?
If the password is easy to crack, it will be cracked. Of course, if the password is hard to crack, it can probably be cracked too, especially if someone with malicious intent is targeting that individual. Still, there is no excuse for allowing a user to create a password like “12345.” Or “password1.” Or “iloveyou.”
Far-fetched? Not at all. According to a newly released study by Los Gatos, Calif.-based SplashData, here are the worst passwords of 2013:
Does your site require that there be at least one upper-case letter? No problem, they cap the first letter. Require a number? The digit 1 is appended. Require a punctuation mark? The user adds an exclamation point. Sorry, that’s not secure.
Let’s go back to the question of why we should care. Obviously, if we are building password systems for employees, vendors or partners, yeah, we’d better care. What about customers or casual users of our website or software?
It’s not in our best interests to have our customers’ accounts hijacked, even if it’s our own customer’s fault.
It’s unclear to me that if there is personal or financial information on our sites, and if we allow “12345”-style passwords, that we might not be held liable in the event of a breach or disclosure of customer information. One could argue that we didn’t truly attempt to secure the account.
What about if we operate e-commerce sites? If someone breaks into customer accounts and orders merchandise or services, we may not be able to collect the money. That’s bad for the bottom line.
Tech support forums, media sites or social media sites: We set up accounts for reasons important to our businesses. If those accounts are breached, and malicious users can use those accounts to harvest information, spam users or online comments, or otherwise pollute our content, everyone loses.
The big question is what to do. Certainly, you can and should have strong password policies. Don’t let the user enter his/her username as a password (another common practice) or utilize a common dictionary word. Yes, do uppercase/lowercase. Consider numbers. Catch repetitive letters and digits. Make passwords longer. Think about punctuation. Compare users’ passwords against lists like those from SplashData and disallow the biggest offenders.
The strength of your login system depends, in large part, on the value of the account and the information it protects. If you are a financial institution or otherwise store sensitive information, forget simple passwords. Consider two-factor authentication, either as an option or as a requirement.
Just because the user chooses the password doesn’t mean you’re relieved of authority for the security of their accounts. If the password is “12345,” it’s just as much your fault as theirs. (Oh, and would someone please change the combination on my luggage?)
Changing the subject somewhat: After reading “What Secrets Your Phone Is Sharing About You” in the Wall Street Journal, I have turned off WiFi on my cell phone and have encouraged my family to do so as well, except when we are at home. If WiFi is turned on, you and your mobile device can be tracked without your permission or even your knowledge—even if you are not connected to a WiFi network.
What’s your favorite password story? Write me at firstname.lastname@example.org.
Alan Zeichick, founding editor of SD Times, is principal analyst of Camden Associates.