What Password Security do you Have if you just Pick your Phone Number
Back in the 90s when the whole Internet thing had just started, there were two kinds of ways that people would react when their e-mail sign-up form asked for a password. They would take it far too seriously, and make up a ridiculously complicated password that they would forget about 3 seconds later, or they would take it as a joke, and type in a password like 12345, or Iloveyou or 11111. In today's world of Chinese government break-ins into Gmail, and hackers and spies, the world's e-mail programs are demanding a little more sophistication from us, and we need to type in six characters with at least one number. Little do they know, we're just going to come up with something like123abc or 1a1a1a. When it comes to password security, it would be safe to say that people don't believe that anyone would care about their e-mail enough to want to hack into it.
They've done research into all the passwords that people like to use on their e-mail, and on website memberships that they sign up for, and it seems epidemic; a quarter of all Internet users use hopeless passwords like these. Girlfriends' first names happen to be particular favorites too. There was a security breach at an Internet company that makes Facebook apps recently; they happened to just post their entire database of passwords on the Internet for a few minutes. Some hacker must have found it in those minutes, and downloaded the entire set of tens of millions of passwords. To human behavior analysts and to people who like to study computer security, this was an insight into password behavior in people unlike any other; there are forensics students, software makers, just about anyone with an interest in the way people behave around computers, studying this unusual treasure trove of information. They found that 123456 was still the crowd pleaser, and that about one in a hundred uses it. Other very popular lame passwords were thoughtful ones like QWERTY. They found that about one in five people picked from maybe a couple thousand possible password choices, no more. What does this say about password security on the Internet?
All a hacker would have to do is make a basic program to try all of the very common passwords, and one out of five times, he would hit pay dirt. A good average computer could probably try password combinations 1000 times every second; he could probably hack open the common e-mail account in about 2 seconds with an automated program. Some websites think it's a smart move to freeze an account after too many wrong guesses have been made in a certain small period of time. But hackers don't have just one account to play with, they have millions. Their automated hacking software could try a couple of guesses on each account, and move on to the next so that by the time they come around to the first account for another bash at it, it's been given some time to recover. But in some cases, freezing an account is not a really great solution for password security either.
If you were on an auction site like eBay, and you wanted to really win an auction, you would only have to log out all the other competitors for that thing you have an eye on, by trying to get in into their accounts with the wrong password several times, and freezing everyone out of their own id's. How would they compete against you, if they had no access to their accounts? But really, password security is all about having one password that is really hard to guess, and really secret. You can be using one on the entire Internet; and you would be safe.
12:15 AM