Go Ahead and Use "Password" as Your Password
Why is using an easy to guess password so dangerous? Most websites have some minimum controls against the brute force attacks that were used successfully against Twitter in its early days. A brute force attack just keeps trying to log in with your user-name combined with a password created from every possible combinations of letters, numbers and special characters (!@#$). If you use a word that is in the dictionary that only takes about 80,000 tries until they get to zymurgy (the last word in Webster's New World Dictionary). That is why most applications and web sites lock your account after about six failed tries.
But hackers can steal the entire database of user-names and passwords. Usually the passwords are protected with one way hashes that make it impossible to compute the original password. But the hackers just run a brute force attack where they create hashes of every possible combination (as above) and compare those to the database and pick out the matches. The longer the password and the more character sets used the harder a brute force attack is. The number of hashes to create for an eight character password containing lower case letters only is 208 million. If you include numbers and special characters that rises to 6 quadrillion. (See the excellent key space calculator here) 6 quadrillion is what we call "computationally difficult" to crack.
But, if you use "password", or abc123, your account could easily be broken into by anyone who tries these first. And if you use the same password at Gawker.com and the hundreds of other sites you visit someday your password will be stolen. Since you probably also use the same user-name password pair at sites that matter, like Twitter, Facebook, and Linkedin, you could see those sites compromised.
But so what? Unless you are Sarah Palin, who cares enough to compromise those other accounts? Well, spammers and cyber criminals do. Do you really want your Twitter account posting links to pharmaceutical sites? Or your Facebook account used to spread malware to your friends? No.
So don't use "password" at Gawker.com, but go ahead and use "zymurgy" and go ahead and use the same password at the hundred sites where the greatest danger is that someone will post a comment with your user-name. But for the important sites use a password that forces a cracker to calculate 6 quadrillion hashes to crack your password.
Should Gawker.com and all the other inconsequential sites force you to use strong passwords? It will only ensure that they have fewer users and more password reminder requests since no one can remember all those passwords and no one wants to have to look up their cumbersome passwords in some iPhone app. It is time for websites to get away from user accounts all together. Let people comment on an article with a simple email verification (not forgetting to put limits in to avoid spamming). And those sites that really need to authenticate should move to digital certificates and one time password tokens, or SMS messages to your cell phone.
Any operational business model relies heavily on IT support and the help desk to achieve maximum uptime for all IT systems. This white paper addresses ways for help desk analysts and IT support staff to easily and efficiently handle their workload by simplifying and automating processes to increase time and operational cost savings, enhance productivity, and boost customer satisfaction. more
