Tuesday, July 28, 2009

Choosing Passwords Wisely

I got a message from someone today who forgot their password. I won't name names, but in the message the person included the password they wanted, and that it "somehow" got changed because they "knew" that's what it used to be.

These kind of messages are usually rare for me--most people just tell me that they forgot their password, and I either send them to the Lost Password Center to reset it, or manually reset it myself if they're e-mail address doesn't seem to work. They usually don't send me the password they want it set to--I'd just as soon not know, and there's no reason I need to know. I can log into any account I need to with a "master password" when I need to--I never need to know anyone's actual password. Passwords are stored in the database in an encrypted format that's specifically designed so that I can't even decrypt it even if I wanted to. If hackers ever broke into Atlas Quest, they might be able to steal your e-mail address or cause all sorts of mischief, but there's one thing they can't get--it's your password.

Unless it's a poorly selected one. And alas, there are a lot of poorly selected passwords. Many moons ago, I read an article in a magazine about the ten most common passwords, and out of curiosity, I ran them through AQ's accounts to see if people actually were using them. Some of the most common passwords of all time, in case you're curious, include: password, 123456, qwerty, abc123, letmein, monkey, and money. Every single one of the most common passwords were being used by people--some of them in numbers that made my mouth drop open in shock. Passwords such as god did not get any hits since AQ has always required passwords to have at least five characters, even from day one.

I tried a few other "obvious" guesses including atlasquest and letterboxing, cracking loads of additional accounts. Then set it up so AQ tried using the same password as the trail name for the account, which as I recall, was the mother load.

Almost immediately, I added new restrictions on passwords to encourage people to pick better passwords. I made those most-common passwords off limits, and AQ will reject them. It will also reject any password if you use your first name, last name, or trailname as your password (or even a part of it). Which brings me back to the person who said that somehow their password had been "changed." Since the person told me the password they wanted, I could see the problem. It included their first name. The password wasn't changed--AQ had just rejected it as being too easily guessed and the person didn't remember their second choice.

A letterboxing website probably isn't a hacker's paradise, and even if a hacker did get into your account, they probably can't do more than delete your boxes or finds and send offensive messages in your name. But why choose bad passwords in the first place? Do you use the same passwords for your bank accounts, brokerage accounts, and other places where sensitive materials reside? Hackers DO try to break into those kinds of accounts, and easy-to-guess passwords make YOU a tempting target.

Some of you might remember the password cracker I set up the last time I discussed password security, and we had a lot of fun "cracking" accounts on Atlas Quest. All told, with all of the various guesses and such, we successfully cracked close to half the accounts on Atlas Quest. Without knowing any personal data about you, we could hack into about every other account given enough time to make guesses.

It might be a little harder now since AQ no longer allows the most common of passwords anymore (however, old accounts that made it in before the change still got to keep their poorly selected passwords, so those do still exist), but I bet there's still a lot of passwords you can guess. AQ will no longer allow you to use your first name, last name, and trail name (at least not what you entered when you registered on Atlas Quest), so those types of guesses won't be anywhere near as successful. But AQ doesn't know your birthday, it doesn't know the names of your children or pets, and it doesn't know much about you on a personal level, so it can't stop you from selecting those types of bad passwords.

If you're using a bad password now, consider changing it. Make your online accounts safe again!

Still don't believe? Try cracking accounts yourself and see how many you can break into with the Password Cracker.

I just want to say to the five people who use the word "goober" as a password--I'm honored. But you really need better passwords than that. ;o)

I'm also happy to report that while there are no "losers" on Atlas Quest, we do have four "winners"! Let's give our winners a round of applause. =)


Anonymous said...

Surprisinly, the password ryan does not come up, but goober comes up 5 times.

Goober Patrol

LunaSea said...

Awww... somebody has 'comfychair' as their password.

Stacy Christian said...

Now that's fun! My top three guesses so far have been:


XSG said...

If I broke into AtlasQuest in order to steal passwords, all wouldn't be lost if the passwords are encrypted. I'd just subtly add some code to store a plaintext copy of passwords being submitted to the site. This brings me to the _most important_ point that you only barely touch on. People should be using different grades of passwords for different kinds of information! For common websites such as AtlasQuest, it's fine to use a single password, chances are that the most harm that can be done by being compromised is some mild embarrassment. For any website that stores personal information, it's good to use a second password. For any websites that store financial information, it's good to use a third password. And it's also important to change your passwords at least yearly.

And now, to try to guess some passwords!

Anonymous said...

oh good lord, I could play on that all day. Someone has bananaboat as a pw, and several have password as a password. There's even a Megatron and 2 godzillas.


Anonymous said...

Last time around I had a great time guessing popular passwords. This time I found it surprising THESE were not taken: streetwise, mapper, traveller (with 2-l's), planetary, itsplanetary, 3rdrock, thirdrock, pluto, boxingfool, boxingful, boxful. Just for starters.


Liz Henderson (Hendel D'bu) said...

OK, that was pretty fun! Here's what I tried:

4 folks are using obiwan as a p/w,
2 are using anakin and only 1 is using padme. (I'm thinkin' there are more Star Wars fans out there than we know!)

Then I tried darthvader...no one! Not even one, can you believe it? However, 7...yes 7 folks are using Star Wars as their p/w!


May the Force be with you! :-P

BfloAnonChick said...

One person is using "marjorie" as a password. :-)


XSG said...

I just scored 100 passwords with just one word. Totally, I've guessed over 500 simply by using common pet names.

Ryan, if you're using a simple hashing algorithm for your encryption, all identical passwords will result in the same hash, so you can perform a pretty simple check to find out which hashes are the most commonly used and then try to make sure that all of the really common passwords are found and not permitted. Of course, if you're using DES with a variable salt, that idea goes out the window...

Anonymous said...

16 people use Jesus as their atlas quest password! I wonder if using the lords name as a password is considered taking it in vain? only two are using mushroom so apparently I don't have the same kind of appeal as Jesus which is as it should be I suppose.


Anonymous said...

You people scare me stay the hell out of my account!!!

Ryan said...

It's true--if someone does hack into AQ, they could jut capture the password before it's encrypted. There's no such thing as a 100% secure website, and AQ is no exception. If someone did hack into the database, though, it wouldn't be hard to run that same "password cracking" page as I created but actually display the account names of those that match. Run a dictionary against them, and you could break into a large number of accounts quite easily--but a GOOD password couldn't be cracked that way.

Being a mere letterboxing website, however, with little incentive for people to break into accounts (not exactly a lot of "sensitive" data on the site!), I'm not going to worry too much about people choosing bad passwords except to ban the most commonly used ones. (And even then, those who did use them before I banned them still can keep them.)

But I still recommend something better than pet names, birthdays, kid's names, etc. Those are just too darned easy for people to hack.

Kaaren said...

Going with my obsessions:

Buffy = 1 (no, not me)
Angel = 16 (but I'm sure they all don't mean Angelus)
Spike = 2
Firefly = 3
Serenity = 5

Then I tried Bubba just for kicks and got 7.

Only 1 person, me, has my password.

Anonymous said...

Anytime someone talks about the most common passwords, my mind drifts to a certain scene in the 1995 movie Hackers. In that, the 4 common passwords were love, sex, secret, and god. Did any of those make the top list besides god?

Ryan said...

Six people are using "secret" as a password. Sex, love, and god won't work on AQ since AQ requires at least five letters for a password, but "secret" definitely is being used by some.

Anonymous said...

There are some TV fans. dexter has 2, trueblood has 1, house has 1, and simpsons has 1. Interestingly enough, beavis has 3 as well as butthead also has 3. Not a lot of music fans, but there is one really die hard beatles fan and the King, elvis, he has 5. Also 1 person either likes Sting or thinks using the word police is a good way to be secure.

GreenJello said...

There's no way anyone has my password on AQ. Or anywhere else, for that matter (unless the admin can see the password). Since I work in the computer industry, I know all too well how easily accounts can be cracked.

Just to give you an idea how anal I am, my PayPal password has 13 characters, with one capital letter, 3 numbers, and 3 symbols. Good luck cracking that one.

GreenJello said...

Ok, this is fun... I think my current favorites are (asterisks added for the faint of heart):


I guess some people were in bad moods when they picked their password. :)

Anonymous said...

25 people are using soccer as a password

XSG said...

By the way, the password that I used to come up with 100 hits was [Pp]assword. Brilliant, folks.

And yes, drowssap came up with a few hits, too.

XSG said...

And who in God's name is using "smegma" as a password?!?!

And _why_ in God's name did I think to check?

Anonymous said...

2 people are using yomama as a password...


just4bees said...

My research shows that nobody wil FORGET or has FORGOTTEN their password but 2 FORGOT while 8 REMEMBER. None of those were MEMORABLE though. # folks thought they were CREATIVE and 2 GENIUS but not the 2 at the COMPUTER. # people claim ILOVECATS while just 1 says ILOVEDOGS. I may hang out with the 7 who seem to have plenty of POPCORN or those two that have ordered PIZZA.


Knit Wit said...

We got four Harry Potter fans but nobody wants to use Voldemort (or Dumbledore or Snape). This is fun!

Anonymous said...

What I had as an early recommendation for password choice, and continue to use to this day is two words together with a number. I pick the words by opening a book and pointing with my eyes closed (disregarding any common words like "the" or "and" or "I" etc.).

The unlikely combination does a good job of sticking in one's head, but is hard to crack without a powerful computer and associated resources.


TinmanSC said...

I just scored 33 with tigger!

Anonymous said...

I scored big with baseball 14, snickers 14, mustang 10, chocolate 15, and the biggest of all 192 words I came up with, harley with 17. As you can see I have a lot of time on my hands, ha ha. Dartmoor had 3, only 1 oklahoma, imagine that, wonder who that was, not me. I was surprised Disneyland only had one, as did Stonemountain. Cowboy had 5, but cowgirl only 2. No cadillacs, 1 caddie, no corvettes, 1 lexus. 11 Poohbears, wow!, 8 sweetie, 3 sweetheart. 1 toysrus, 1 twinkie, 1 niagra, 1 apollo13, and 9 alaska. 1 presley, 8 jackson, am assuming they were michael jackson fans. No madonna's, that surprised me.
That was fun, and a good time filler. Thanks for posting this little piece of trivia. Must do some changing of my own.

Anonymous said...

I was surprised that 4 people are using a**hole and 1 person is using a**hat.

2 people are using my password.

A decent number of folks are using state or city names for their passwords.

lulahe said...

For all the Twilight fans...
8675309-4 Ah, Jenny just can't get away...

dbltall said...

no "IloveAQ"! Unless that's one of the to0-easy forbidden ones ;)

Caitlin T. said...

This is hilarious!

Only 2 people use stamps, and 1 person each uses cupid and arrow. One person out there uses logbook as a password. No one loves transformers enough to use it, but 2 people use optimus (but no optimusprime).