It seems that pretty much every month there’s an article about how everyone’s password is terrible. Moms will break out into a cold sweat and geeks will snicker in their supremacy about the same list we’ve all seen before in a different order:
Now let’s be clear, this is a bad thing. Everyone should really be using a password manager or at least be creating strong passwords over 8 characters long with capital letters, numbers, and symbols. I’m not going to defend anyones’ bad password but I am going to make the case that it shouldn’t be surprising that the vast majorities of passwords are complete crap.
Probably the biggest thing to consider here is that most of the passwords are probably very old. Youtube just turned 12. Facebook is 13. Google is 18. Ebay and IMDB are of legal drinking age in the United States. How many of these accounts do you think were created in the last year? How about the last 5 years? A lot of these passwords were probably chosen before picking a strong password became a mainstream idea and before password managers were even really a thing. This doesn’t excuse the fact that everyone should go back and change their passwords but for the average joe there really isn’t much incentive to do that.
Now consider how many of those accounts are probably even still active. Do you remember what your Runescape password is? Neither do I but I can guarantee you it was terrible and I can tell you the password to whatever email account I used back then was terrible too. All in all I’ve probably had at least 8 different email accounts in my life. Obviously, most of these I just don’t use anymore, they were meant to be temporary (work and school) or they got bogged down in spam or they were just on a crappy old platform that I didn’t want to use anymore. So when I really stop to think about every account I’ve ever made I’ve probably made way more bad passwords than good ones and you know what? I’m realistically not going to do anything about that.
You’ve also got to consider all of the default passwords that are probably still hanging around but we can probably go ahead and give those system administrators a hard time for that. They should know better.
Finally, there’s always the ignorant. A lot of people just don’t care about how strong their passwords are. Becky doesn’t know what a secure password looks like or why she needs one and it’s really not her fault — no one ever taught her. Ted doesn’t care about the security of his Twitter account. He made it in a hurry so he could follow his favorite sports team and he doesn’t use it much anyway. Yeah it’s also the same password he uses for his credit card accounts, email, and online banking but it’s “what he’ll remember”. Jimmy doesn’t care about his security. Becky and Ted have never had their accounts compromised… he thinks. Anyway, the conclusions that everyone jump to regarding the computer literacy of the average password creator must have truth to them but even considering that we just shouldn’t be so surprised that all these passwords are bad and lame.
Oh and here are some links I should leave here after talking about passwords:
- That site that tells you if you’ve been hacked
- That site that tells you how crappy your password is
- That xkcd webcomic that supplies an easy way to make a good password
- This computerphile video about that xkcd webcomic