… and why wasn’t it popular at LinkedIn?
Studies of databases cracked from various sites over the years have consistently shown the word “password” to be prominent among the world’s most common passwords, usually in the number 1 spot.
Yet in the recently lifted LinkedIn database the most common password appears to have been “link”, with “password” apparently appearing nowhere in the top 25.
Once upon a time—over 20 years ago—a friend told me she’d had a great idea. She should set her Unix system password to “password”. Nobody would ever guess it. It would be hiding in plain sight.
I didn’t think it was a good idea, but I do remember thinking it was a novel one. I don’t know how serious she was. Certainly not serious enough to have actually done it: even then we were aware that “password” was a bad password because it was a word and words will be guessed sooner or later.
Since then “password” has repeatedly come up as a common real choice for passwords.
Why so popular?
- Does everyone have the same great idea as my friend did?
- Are they wildly casting around for anything they can type in the field, and “password” just happens to be the word sitting next to it?
- Are they choosing it deliberately in order to maximise their chance of remembering it next time?
- Is there some cultural thing I’ve missed, maybe a film in which “password” is shown as someone’s password that seeded all the subsequent uses?
I suppose another possibility is that it’s the default password set by some admin tool. I can’t remember ever seeing an admin tool that did that myself, though, and I’ve seen a few.
Some years later, a colleague handed me a laptop to use for a demo.
“The user name and password are on a Post-It note on the screen”, he said. “So you mustn’t lose it, or we’ll be stuffed.”
I opened the laptop and there was the Post-It note.
“Username: admin”, it said. “Password: password”.
But why doesn’t it appear in the top 25 passwords from the LinkedIn database?
Is the analysis wrong?
I’d like to think that LinkedIn had measures in place to prevent people from setting such simplistic passwords, but, um, most of the other popular choices are equally simplistic.
And a company that loses 6.5m hashed-but-not-salted passwords probably isn’t doing much else for password security.
Besides, “password” does appear in the database, by all accounts. (I haven’t seen the SHA-1 database myself.) It just wasn’t among the popular ones in that particular analysis.
The Breakfast Post 
My guess would be that LinkedIn blocked people from using “password”. About the only sensible thing they *did* do.
So, is using something like OpenID a good idea? In theory, the few OpenId providers people use should be very secure as the specialise in it. Or is it risky to put all your eggs in one basket. I guess at least it should be easy to revoke all tokens if you realise you’ve been compromised but is that too late?
I’d use it (eg with my Google account which also has two factor authentication enabled requiring me to enter a number from an app running on my phone) but I can see massive support headaches and re-education problems.
Looking again at the post that claims to list the most popular LinkedIn passwords, all of them have far lower frequencies than one might expect the most popular choices to have. Perhaps they all come from old accounts, and LinkedIn subsequently tightened up their rules. Or something.
As to what makes the best approach for password management: there’s two sides to that. There’s the question of what we as individuals — the sort of users who actually talk about passwords — can do to improve our own security. Then there’s the question of what we should do as people who run sites and can make decisions about password management (even if we are not influential enough to change much in the wider world).
For us as individuals, it’s surely far better to log in via Google (or Facebook, or whatever) at sites that support it and then to use the strongest possible passwords and security settings at our security provider. The weakest link always seems to be the password database on the server, so if you can avoid stuffing anything in that, you’re surely better off.
For me as a site operator, I would find it quite painful to offer login only using a single provider, especially since the most widely used provider (Facebook) is one that I don’t even use myself. Offering generic OpenID isn’t much help, though — I have a site with relatively technical users that supports OpenID, and the last time I checked, zero users (out of a hundred or so) were actually using it. Even so, something like “log in with your Facebook or Google account” and no local password database is probably good practice if your software supports it and you can stomach being so dependent on third party providers. Apart from anything else, at least that way you’ll never be in the news because your password database has been stolen.