A blast from the past, from the 1990s to the early noughts to be more specific, made the news this week, courtesy of the National Cyber Security Centre in the United Kingdom. According to an analysis by the government organization, blink182 is among the most commonly used passwords in the world.
This means that it’s also an entry on any hacker’s list when it comes to guessing passwords.
Big Data in Data Breaches
Massive data breaches are a pain in the patootey, and while it’s said that all clouds have a silver lining, the gilded veneer of a breach is quite thin. About the only good thing to come out of a data breach is (1) finally knowing how well (or more often, badly) a company’s data security practices are and (2) the knowledge we gain in things like what the most-often used passwords are. These can be used, for example, to create password blacklists, preventing people from using them at all or within longer passwords.
The NCSC’s analysis is quite comprehensive, and unlike most such surveys, also provided a small list of categorized passwords: most used in total, given names, sports team names, musicians, and fictional characters.
In the music category, the band Blink-182 took the top spot. In order of instances where they were used as passwords:
- Blink-182 (blink182) – 285,706
- 50 Cent (50cent) – 191,153
- Eminem (eminem) – 167,983
- Metallica (metallica) – 140,841
- Slipknot (slipknot) – 140,833
The site spin.com noted:
Shockingly, there’s no “eve6,” “sr71,” “stroke9,” or even “sum41,” so fans of those alphanumeric ’90s-’00s bands can rest easy.
A quick look at Spin’s list reveals why these talents from the past century are not included: with the exception of Stroke 9, they’re too short in terms of password length. For “security reasons,” it’s generally required that passwords be at least 6 characters in length.
Of course, if it were true security that companies were looking for, they’d increase the requirement to something like 22 characters. That companies – and other types of organizations: let’s face it, NGOs and government agencies are not immune to appalling data breaches – are not doing this shows you how many take information security seriously. (On the other hand, chances are that you, the reader, are partially to blame as well: would you honestly not have a problem with typing a password that is 22 characters long? Every single time?)
Of course, these musical acts pale in comparison to the most used passwords, which number in the millions. The most often used also the more familiar type of fare, ranging from 123456 to password to 1111111 (that last one is a bunch of ones, as opposed to a bunch of els (L) or eyes (I). Arguably, els and eyes would be more secure passwords than a string of ones, just like blink182 is more secure than password).
A Little More Secure (But Barely)
Conventional wisdom says that blink182 is a more secure password than password (of which there is 3.6 million instances and #4 in the “most used in total” category). Why is this?
It comes down to probability and statistics (and economics): if you’re a hacker who wants to illegally gain access to as many accounts as possible, in as short a time as possible (knowing that the window of opportunity may close at any moment), it makes sense to try, on as many accounts as possible, the top 10 most-often used passwords, which are used orders of magnitude more often than blink182.
In other words, it’s like that old joke about two hikers meeting a bear in the woods: instead of running for his life, one starts to fish out his running shoes from his backpack to put them on. The other, seeing this, says, “Jeez, you can’t really hope to outrun the bear!” And the hiker responds, “I don’t need to outrun the bear. I only need to outrun you!”
Chances are the hackers are going to go for password and not blink182. So, users who’ve selected the later have a higher possibility of being passed over, which is tantamount to not being hacked.
But, the problem is that there are many ways to skin a cat. One hacker’s M.O. can be quite different from another’s. For example, perhaps the hacker only tries passwords that are shorter than a specific length, say eight characters. If so, blink182 (eight characters long) is a weaker password than 123456789, despite the latter being used much, much more often (found 7.7 million times in the NSCS analysis).
Or, it could be that a hacker doesn’t have a time constraint, meaning he can just go through millions of passwords for each account.
In other words, blink182 may be a more secure password than others… but barely.
So, what to do? Well, for starters check out the NSCS’s list of top 100,000 most-often used passwords (that figure is not a typo. Also, it’s a pretty big file, considering. You may want to download it as opposed to opening it in your browser). Do a search for your password, and if it’s listed, change it.
Like, really change it. (A 22-character long password is not a bad idea. Neither is it to use a music group that is not popular. At all.)
Related Articles and Sites: