If you have followed security news in the past days you have surely noticed that several sites had been hacked in one way or the other. One of them, the Yahoo Voices service, even saved user passwords and information in plain text, which is one of the biggest no-nos in the development world.
The reason for this is simple. Lets imagine an attacker manages to get hold of two user databases. One were the passwords are encrypted in one form or the other, and one where they are listed in plain text.
To gain access to user accounts, the attacker would have to decrypt the passwords in the first. In the second, nothing would have to be done because all the data is already there in plain sight in the database.
A plain text database on the other hand provides security experts with insight to the password selection process. And in the case of Yahoo Voices, they have discovered that the top passwords are exactly what they would have been ten or even fifteen years ago. Passwords like "password", "123456" or "qwerty" are considered weak passwords for a variety of reasons, including being always in the top selection when passwords databases are analyzed. Some are even used in movies to get into a computer.
In the case of Yahoo Voices, it would not really have mattered if you would have selected "princess" as your user password, or "gGwPywfzNjPOnlKE98J,", as both would have been listed in plain text in the database.
What people should however ask is why users are still selecting these weak passwords and not secure ones. In times where password managers are available free of charge, it does not really make much sense that these passwords are still topping the password popularity lists.
There are two parts to the answer to the question. First, these passwords are selected by users because they can.
And second, because site operators let them. If you operate a website or service, you should obviously make sure not to save your passwords in plain text.
But next to that, you could also come up with password rules that make it impossible for users to select weak passwords. How those could look like? You could for instance raise the minimum password length to ten characters and require users to pick at least a number and a special char in the password.
If you think that is turning away some users who try to register but fail, then you are probably right about that. But it is very likely that the majority will simply select a secure password instead if they really like to join the service.
In turn, their passwords are better protected from attackers who try to brute force their way in either via the web front end or by getting hold of a database that stores the password information.
Another option would be to display suggestions on the sign-up page. You could suggest to users signing up to pick passwords of a certain minimum length without enforcing those rules. While that would certainly get some to pick secure passwords, other's would possible ignore the suggestions to select the easy to remember "qwerty" instead.
What's your answer to the question? Do we need stricter password guidelines to improve password security? Or different systems that replace traditional passwords? Lets discuss in the comment section below.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.