More Password Folly

This is the season when we usually learn about the list of the most popular—and hence vulnerable—passwords … and this year is no exception. From evaluating “millions of leaked passwords,” Splashdata determined which were the most easily hacked. Topping the list is “123456,” followed by “password.” One commenter thought that the twentieth password, namely “!@#$%^&*” was a strong password, not realizing that it is merely uppercase “12345678.”

Phoebe Weston provided the full list with recommendations for strengthening passwords in a December 14, 2018 Daily Mail article, “The 25 worst passwords of 2018 ….” Available at

The main problem with providing such a list is that you aren’t given the VALUE of what is being protected by these passwords. I discuss the value of aspects of security metrics in my article “Accounting for Value and Uncertainty in Security Metrics,” which appeared in the ISACA Information Systems Control Journal, in November 2008.

This issue was highlighted by, of all people, a well-known standup comedian, when he ranted about having to log into an online account in order to pay a bill. Indeed, he said, he would be happy if someone hacked into his accounts and paid his bills on his behalf! Interestingly, I discovered that one of the companies, whose bills I pay online, no longer requires you to log in if you are making a single payment … just name and account number. Now you’re talking!

Getting back to the annual publicizing of the “worst passwords,” I have three main comments. One is that the list is not particularly useful, as it would be if we knew the value of what was being protected. Of course, it is much easier to collect pure password data than to try to understand the value at risk for each password, as I pointed out in my ISACA article.

Second, we should not have to depend on users to select the strength of passwords. Of course, many websites do evaluate password strength and do not allow weak passwords to be used. But many others don’t.

And third, as I pointed out in my article, “The Demise of Passwords: Have Rumors Been Exaggerated?” in the ISSA Journal of May 2005, it doesn’t matter that you have a very complex password if either the password file is captured and subjected to brute-force guessing, or if you are persuaded by a social-engineering trick, such as spear phishing, to give up your password on a fake website. This was more recently stated in a ComputerWeekly article, “Security Think Tank: Complex passwords provide a false sense of security,” by Tim Holman on July 4, 2018, available at:

So here we are, more than thirteen years after my first article on the topic, no further ahead and arguably falling behind in the use of passwords to manage access. Let’s at least introduce value-based metrics into the mix so that we are not overprotecting low-value assets and under-protecting critical, high-value data. And let the hackers pay our bills for us!

Post a Comment

Your email is never published nor shared. Required fields are marked *