Why is “password” such a popular password…

… and why wasn’t it popular at LinkedIn?

Studies of databases cracked from various sites over the years have consistently shown the word “password” to be prominent among the world’s most common passwords, usually in the number 1 spot.

Yet in the recently lifted LinkedIn database the most common password appears to have been “link”, with “password” apparently appearing nowhere in the top 25.

 

Once upon a time—over 20 years ago—a friend told me she’d had a great idea. She should set her Unix system password to “password”. Nobody would ever guess it. It would be hiding in plain sight.

I didn’t think it was a good idea, but I do remember thinking it was a novel one. I don’t know how serious she was. Certainly not serious enough to have actually done it: even then we were aware that “password” was a bad password because it was a word and words will be guessed sooner or later.

Since then “password” has repeatedly come up as a common real choice for passwords.

Why so popular?

  • Does everyone have the same great idea as my friend did?
  • Are they wildly casting around for anything they can type in the field, and “password” just happens to be the word sitting next to it?
  • Are they choosing it deliberately in order to maximise their chance of remembering it next time?
  • Is there some cultural thing I’ve missed, maybe a film in which “password” is shown as someone’s password that seeded all the subsequent uses?

I suppose another possibility is that it’s the default password set by some admin tool. I can’t remember ever seeing an admin tool that did that myself, though, and I’ve seen a few.

 

Some years later, a colleague handed me a laptop to use for a demo.

“The user name and password are on a Post-It note on the screen”, he said. “So you mustn’t lose it, or we’ll be stuffed.”

I opened the laptop and there was the Post-It note.

“Username: admin”, it said. “Password: password”.

 

But why doesn’t it appear in the top 25 passwords from the LinkedIn database?

Is the analysis wrong?

I’d like to think that LinkedIn had measures in place to prevent people from setting such simplistic passwords, but, um, most of the other popular choices are equally simplistic.

And a company that loses 6.5m hashed-but-not-salted passwords probably isn’t doing much else for password security.

Besides, “password” does appear in the database, by all accounts. (I haven’t seen the SHA-1 database myself.) It just wasn’t among the popular ones in that particular analysis.

 

The other Internet

Facebook aims to go public

So far I’ve mostly thought of Facebook as the other Internet.

It’s an Internet that contains all the stuff I don’t really want to know. A site with the handy property that almost everything on it requires you to log in to see it, meaning that I never see any of it and so can’t worry about it. Their login policy provides peril-sensitive sunglasses for the Internet user.

As the reach of their user database and APIs increases, the number of other sites needing a Facebook login increases too, and the proportion available without one diminishes.

But the Internet was inevitably going to fragment and warp. When I started using it, it was still possible to think that the set of one’s peers and potential friends on the Internet was “all the other people who use the Internet”. Now everyone uses it, and subsets of users can expect to use subsets of the Internet. The Internet-that-doesn’t-involve-Facebook keeps growing, even as its proportion of the whole shrinks.