Friday, January 29, 2010


Once more, on passwords

Last week, the New York Times came out with yet another article about how people consistently pick bad passwords. It’s a hackneyed subject by now, but I shouldn’t complain: I cover this sort of old ground repeatedly, myself. But what makes this article remarkable — or, at least, what makes me want to remark on it — is their attempt to explain why.

One technologist tries to explain it as an innate aspect of people:

“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”

Right, and perhaps we evolved that gene in, what, 1992? No, this is not like a fight-or-flight response, not like colour blindness, and not at all like a dislike for Brussels sprouts.[1] I suppose that if by “genetic flaw” he means that we’re very bad at figuring out how to defend ourselves, he’s wrong, but if he means that we have a strong tendency toward habitual behaviour, he’s right about that. But this is a red herring.

The more interesting point, which seems to be made every time this question comes up, is the “information overload” reason:

Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.

“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”

That certainly is the conventional wisdom, but just look two paragraphs earlier, and you’ll find this:

Overusing simple passwords is not a new phenomenon. A similar survey examined computer passwords used in the mid-1990s and found that the most popular ones at that time were “12345,” “abc123” and “password.”

The mid-1990s — fifteen years ago, which is more than the “10 years ago” quoted from Mr Moss. And we can go back another ten years, too. In 1985, I did a password audit on the mainframe system that I managed at the time, and found that the most common passwords were... [Can you guess?]... “password”, “logon”, “cpread” (“CP READ” appeared in the lower right corner of the screen when you had to log on), and other such things. Others used the models of their cars, their favourite sports teams, and the like.[2]

And here’s the point: at that time, this single password was the only one they had to remember (well, and maybe their ATM PINs, but not everyone used ATMs then). There was no overload, and we told them not to use crappy passwords, but... they used crappy passwords.

So the “too many to remember” reason is bogus. We do have too many passwords to remember (or would, if we used different ones for everything), but that’s independent of the fact that we pick bad ones.

I think we’re used to having multiple levels of security, we’re used to trusting most of the people around us, and we’re used to assuming that there are enough targets that “they” are not likely to pick us. The door locks we use aren’t terribly effective, but that’s OK: there are neighbours keeping an eye out, there are police patrolling, there aren’t very many burglars around, and there are many, many houses for those few to choose from.

And we don’t really understand that online, it’s not like that. There are no neighbours and no real police (the web site management are reactive, not protective). The “burglars” are all over the world, and not limited to the few who live near you. They can work completely undetected, and your password is all you have.

Even if we did the bad thing and used the same password for everything, but we made it a really good password, we’d be better off. That we don’t do it isn’t because we can’t remember one or two good passwords. It’s because no matter how often we’re told about this, we just don’t really get it.

[1] Actually, I love them, especially roasted with garlic.

[2] There were two users who particularly amused me with their choices of passwords. We looked not just at current passwords, but at the last six — the extent to which we saved the old passwords — and so we could look at patterns. One user had a pattern of passwords like “lovegod”, “helives”, and “yesjesus”. Another’s had ones like “shitcrap”, “asshole”, and “dumbfuck”. Yes, it takes all kinds to make a world.


Charles said...


About 25 years ago, a book entitled "Cuckoo's Egg' by Clifford Stoll appeared which was very concerned with passwords. The book was sort of a spy story but factual and very interesting.

Charles Young

Barry Leiba said...

Yes, The Cuckoo's Egg is a good one; I, too, recommend it. Thanks for pointing it out, Charles.