Go Ahead and Use "Password" as Your Password

Updated: December 14, 2010

Why is using an easy to guess password so dangerous? Most websites have some minimum controls against the brute force attacks that were used successfully against Twitter in its early days. A brute force attack just keeps trying to log in with your user-name combined with a password created from every possible combinations of letters, numbers and special characters (!@#$). If you use a word that is in the dictionary that only takes about 80,000 tries until they get to zymurgy (the last word in Webster's New World Dictionary). That is why most applications and web sites lock your account after about six failed tries.

But hackers can steal the entire database of user-names and passwords. Usually the passwords are protected with one way hashes that make it impossible to compute the original password. But the hackers just run a brute force attack where they create hashes of every possible combination (as above) and compare those to the database and pick out the matches. The longer the password and the more character sets used the harder a brute force attack is. The number of hashes to create for an eight character password containing lower case letters only is 208 million. If you include numbers and special characters that rises to 6 quadrillion. (See the excellent key space calculator here) 6 quadrillion is what we call "computationally difficult" to crack.

But, if you use "password", or abc123, your account could easily be broken into by anyone who tries these first. And if you use the same password at Gawker.com and the hundreds of other sites you visit someday your password will be stolen. Since you probably also use the same user-name password pair at sites that matter, like Twitter, Facebook, and Linkedin, you could see those sites compromised.

But so what? Unless you are Sarah Palin, who cares enough to compromise those other accounts? Well, spammers and cyber criminals do. Do you really want your Twitter account posting links to pharmaceutical sites? Or your Facebook account used to spread malware to your friends? No.

So don't use "password" at Gawker.com, but go ahead and use "zymurgy" and go ahead and use the same password at the hundred sites where the greatest danger is that someone will post a comment with your user-name. But for the important sites use a password that forces a cracker to calculate 6 quadrillion hashes to crack your password.

Should Gawker.com and all the other inconsequential sites force you to use strong passwords? It will only ensure that they have fewer users and more password reminder requests since no one can remember all those passwords and no one wants to have to look up their cumbersome passwords in some iPhone app. It is time for websites to get away from user accounts all together. Let people comment on an article with a simple email verification (not forgetting to put limits in to avoid spamming). And those sites that really need to authenticate should move to digital certificates and one time password tokens, or SMS messages to your cell phone.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more