Passwords Are A Lot Like Halloween Costumes
It may seem like an odd comparison, but passwords do bear a lot of resemblance to Halloween costumes. Try to remember all of the bad Halloween costumes you’ve ever seen. How many of them were unoriginal, poorly executed, or just plain bad? If you downloaded a list of all the passwords used today, you would likely look at them in the same manner!
Bed sheets do not a Halloween costume make, and using a plain and downright generic password does not provide much in terms of security. In this infographic I cite information from this blog post. In it the author describes his collection of six-million unique username/passwords combinations which, once processed and sorted, show that 99.8% of the accounts use the same 10,000 passwords.
How many generic movie monster costumes do you see every Halloween? Sure, sometimes people do a good job on the costume, but P@55w0Rd is still a bad password despite it being better than “password”.
Have you ever seen someone in a costume that seemed to be an amalgamation of a few years’ worth of Halloween costumes? Seeing a vampiric Frankenstein is funny the first time but, just like with the password equivalent, it falls short every time after the first. If you take any two of the passwords on this list and combine them, the result is still not a good password. Sure, it is a “stronger” password, but it’s stronger in the same way as adding a “1” to the end of “password” is. It’s a cop-out when people do it with costumes, and with passwords it’s just as bad.
I guess the big lesson to be learned here is that people, when left to their own devices, tend to be rather unimaginitive. Unfortunately, there’s not a lot you can do to change human nature. That does leave some possibilities for improving your users’ password strength. The easiest thing would be blacklisting the top 10,000 passwords in that article, although that only helps a little bit. Talking to your users about password security techniques can make a world of difference. Even if your motivation inspires them to shift from a weak password to a slightly stronger password, that is a step in the right direction.
If you’re not willing to take the risk, know there is too much at stake, or just want to improve the security of your systems currently secured by passwords, then why not look into a multi-factor authentication solution. While we always recommend strong passwords, multi-factor authentication allows you to mitigate the risk of weak passwords by requiring another factor, like a USB key, fingerprint scan, or smartphone app, in addition to the password they already use.