Password Security

 Posted by on 23 April 2013 at 10:00 am  Security, Technology
Apr 232013

In my discussion of online privacy on March 10th’s Philosophy in Action Radio, I talked about how people need to take active measures to protect their privacy online, just as they do in real life. Also, just as in real life, criminals should be of concern. Hence, good passwords should be of concern.

I’ve long known that many people use insecure passwords — such as ordinary words, reusing the same password across many sites, or using an easy-to-guess pattern. However, I didn’t realize just how careless many people are until I read this article: PIN Analysis. Basically, the author analyzed the data from various databases of exposed four-digit passwords — 3.4 million PINs in total. Here are a few of his findings:

The most popular password is 1234 … it’s staggering how popular this password appears to be. Utterly staggering at the lack of imagination … nearly 11% of the 3.4 million passwords are 1234 !!!

The next most popular 4-digit PIN in use is 1111 with over 6% of passwords being this.

In third place is 0000 with almost 2%.

A staggering 26.83% of all passwords [are the table of top 20 passwords listed in the article]! (Statistically, with 10,000 possible combination, if passwords were uniformly randomly distributed, we would expect these twenty passwords to account for just 0.2% of the total, not the 26.83% encountered)

For more fun facts, check out the article: PIN Analysis. If you’re now thinking that perhaps you should have more secure passwords… good! I’d recommend using a password program such as LastPass or 1Password. If you’re already using nothing but super-secure passwords, even better!

I’ve used 1Password to generate random passwords for me, store them securely, and access them on my phone and in my web browser for many years now, and I’d hate to go back to my old (and far less secure) methods!

Note: This commentary was originally published in Philosophy in Action’s Newsletter before the broadcast. Subscribe today!

  • facebook-502752253 is relevant, and fun too!

  • James Hancock

    Your only problem with anything that stores passwords for you online such as the ones mentioned, is that the one party that you need to protect yourself against most (the government) is the one that can easily get the passwords and they don’t even need a warrant, they can just write themselves a piece of paper and they’re good to go.

    • Andrew Dalton

      I’m not sure I understand this. Using a password manager app does not make you any more vulnerable to the government, practically or legally.

      • James Hancock

        If the passwords are stored online by the password manager app (i.e. any app that allows you to access them in a browser, or any app that allows you to access them across a phone(s) and the web or anything similar) means that the passwords are stored (presumably encrypted) on a 3rd party’s web site.

        As soon as they’re stored on the 3rd party’s website, by the definition of a password manager allowing you to retrieve the password, the password encryption is reversible, which means that the encryption can be undone by the 3rd party and be viewable in plain text by anyone that has access to the 3rd party.

        The government, under the patriot act can write their own warrants and hand them to the 3rd party, and tell the 3rd party not to tell anyone else that they did so. As a result, the government can get all of your passwords for everything. Given that passwords are generally for 3rd party websites and other tools you’re basically handing the government all of your private data that you have stored anywhere on any other website, bank, or utility.

        Thus by using a password manager you are making it trivial for the government to have access to everything, AND KNOW WHERE YOU HAVE ACCOUNTS instead of having them guess what services you use.

        In this day and age where knowledge is criminal that’s not a good thing. Thus keeping your passwords securely with you on an encrypted thumbstick with password or similar is the only option if you want to make it even marginally difficult for the government to get at your stuff.

        Also note, that once the Senate gets around to CISPA or whatever variant of the week they finally slip by congress and the president Federal Reserve Act style, the government will be able to monitor everything you do and say online without warrant.

        • Andrew Dalton

          But your accounts for which you use your passwords are also held by third parties. How does a password manager change anything significantly for government, which already has immense resources to spy on you if it wants to? If anything, access to the password manager would just save them a small amount of time. Do you really think that the FBI or any other federal agency is going to be stumped trying to figure out where you have your bank account?

          I agree with you that the government has immense and scary powers (such as National Security Letters) that it shouldn’t have, and which are a threat to all of us. But I also agree with Yaron Brook who recently said that it’s naive for any individual to think that he can do A, B, C, etc. and protect himself from being spied on. The only solution is for people to change the government policies at their source.

          • facebook-520358893

            The point is that if all my passwords only exist in my head or in an encrypted file using encryption that the government cannot easily hack (or not at all as in the case that was just decided by a US judge in favor of the 5th amendment amazingly where she ruled that the defendant could not be compelled to provide the encryption key to his data) then I’m far more secure against government intrusion than if my passwords are easily retrievable with a simple phone call and a faxed self-permission letter by the FBI.

            I’m not particularly worried about banks. I’m more worried about things that you download that the government doesn’t like or documents that you write that the government might not like the contents etc. Given that the 4th ammendment was just rendered a dead letter in Boston (and previously by the Patriot Act) this type of thing becomes VERY important.

            No online service, or one that syncs your data for you like 1password (which your passwords still go through their or other’s like dropbox servers and thus are interceptable) is secure. Even Peer to Peer services are only as secure as both parties in the transaction and the encryption stopping eavesdropping at your ISP level.

            Sad to say but today, anyone with a Ron Paul bumper sticker is on a watch list (admitted by Big Sis’ Napolitano) and any indication of support of Ayn Rand likely gets you the same treatment, although no one to my knowledge has asked nor as the government volunteered that information.)

          • Diana Hsieh

            LET ME SAY IT AGAIN: 1Password can sync with devices without going through any online service or server. It syncs directly via your own wifi.

            If you’re going to make an argument about privacy and government intrusion and whatnot… FINE. But how about getting the basic facts relevant to the post straight?!?

          • facebook-520358893

            LET ME SAY AGAIN: If you use their service to do it, or you use drop box or any other similar services it isn’t. If you’re sneaker-netting it on a wire (not wifi which isn’t secure), then fine, but that isn’t it’s intention or it’s marketing materials per their website. (which I read extensively, and as a programmer that has worked with Defense and spy agencies I know what I’m talking about. It goes over an external wire (or airwaves) and it’s not private to the government, that only allowed the increase from 48 bit encryption then 64 bit then 128 bit and now 256 (in the US only) because they had already either cracked the encryption and can do it in near real time, or because they got a back door installed by the creators of the software. See Microsoft NTLM encryption with NSA backdoor keys.)

            If it’s on your mobile phone, it isn’t secure. As evidenced by the software that the carriers install on your phone and then hide so you can’t see it (Carrier IQ is but one of them, look it up) they’re monitoring everything you do, every website you go to and all of the data on your phone both for their own purposes and for the government’s. As evidenced by the President giving pardons to AT&T et. al. for snooping on cell phones, land lines etc. etc. without a warrant being issued it has happened and continues to happen. (see story about CISPA already being enacted by the WH bypassing the law and CISPA just being an excuse to make what’s already happening legal in multiple papers in the last 2 days)

            I’m simply trying to do you a favor and tell you all what’s happening and what is secure or not from a perspective of someone that built (some) of the stuff that the government uses. (In Canada, under Echelon back before the US could spy on it’s own citizens and had other countries spy for them.)

          • Andrew Dalton

            Again, I’ll go back to the general idea of my earlier comment, but more directly: So what?

            What is the evidence that any individual can stop the government from spying on him? Assuming that all of your technical claims are true (and remember, to the rest of us you’re still just Random Internet Commenter), then the overwhelming conclusion would have to be that the government can and will spy on you, period … NOT that the government can spy on you unless you do X, Y, and Z.

        • Diana Hsieh

          1Password doesn’t store passwords on its server. It uses other methods to sync passwords to your browser and devices.

Suffusion theme by Sayontan Sinha