Posted by Neil Bennett 20 January 2015
Why it can be ok to use weak passwords (sometimes)
SplashData’s yearly list of the most popular passwords is back – and inevitably it topped by ‘password’ and variations on the code an idiot would have on his luggage. It’s a chance for techies to feel smug about using a truly random combination of numbers, letters and symbols – and for journalists to write the same old pieces gently chiding readers to use better passwords.
However, it can be good to use bad passwords – and if others think the same then it could show that the premise of those articles and SplashData’s press releases is a load of old 4c#fRT0.
This premise is that simple passwords – especially using obvious words like ‘password’ and your children’s names – are easy to hack. Therefore you should always use more complex ones, using a long random barrage of characters. You should also use a different one for each site, in case one site is hacked and those responsible try to use your email and password on other sites.
Unless you’ve got a eidetic memory, this is unrealistic. Instead, you let your browser remember all of your passwords except your bank (and hopefully any online stores that have your card details) and you do one of three things. You use the same strong password (or a small selection of) for all sites, you keep a list of passwords somewhere handy or you have a few strong passwords for a small number of key sites and a few not-particularly-strong-but-easy-to-remember passwords for the rest.
The first approach leaves you vulnerable if hackers get a long list of email addresses and passwords from say, Adobe, and then use those to get into Amazon or your bank.
A password list?
The second seems like the weakest, but is actually pretty secure. First you need to ensure all of your passwords end in the same four numbers. Then write your list of passwords in a Google doc or Evernote or wherever, but without those four digits. And don’t forget your Google or Evernote password. The downside, it’s requires writing them all down and who’s got time to do that when there’s Facebook, Twitter and the new series of Sons of Anarchy on Netflix to catch up on.
The third means you have strong passwords for the sites that matter – your bank, Facebook, Twitter, Amazon, et al – and you stick one of the simple ones in when you feel a strong one is unnecessary (or that a password shouldn’t be necessary at all): forums, mailing lists, online stores you probably won’t order from again (so you’re not gonna let them keep your card details).
One potential problem here is that occasionally you sign up for a site or service that seems unimportant, but later it becomes something you should be more careful about. Adobe’s a prime example of this, where lots of designers signed up for an Adobe ID over many years for freebies or to use the company’s forums – then later needed to use that account to pay for subscribing when Adobe changed its business model. So when Adobe got hacked, a lot of terrible password use was exposed.
If people are using this third approach, then perhaps they aren’t as stupid as Splashdata is making out. Maybe they’re using those stupid passwords on a large number of immaterial sites, but using strong ones on the sites that matter – sites whose password engines won’t let you use those weak ones anyway (Gmail, for example, won’t let you use anything in that list when you create an account).
So maybe people aren’t stupid. Or maybe they are. A regular reminder of the importance of passwords is good, but let’s not take Splashdata’s data at face value.