For computer users, the password is: OBVIOUS

Most people are too predictable in their choice of personal codes, experts say.

Pop Culture

January 06, 2002|By Jennifer 8. Lee | Jennifer 8. Lee,New York Times News Service

The instructions are clear: Passwords are personal. Don't share them with friends. Don't leave them lying around. Change them often. In other words, treat passwords as if they were underwear.

Unfortunately, few people listen.

Passwords are supposed to be disposable and discreet. But instead people become sentimentally attached to them or leave them taped underneath their keyboards or on their monitors, to the dismay of computer-security professionals worldwide.

Even those who are vigilant about guarding passwords may reveal more than they think. As psychologists know, people and personalities are often very predictable in the aggregate, and thus so are passwords -- a reality that malevolent computer hackers often take advantage of.

"When you are thinking of something neutral to use as a password, whatever your obsession is will pop into your head," said Helen Petrie, a professor of human computer interaction at City University in London. "It's the new version of the inkblot or word-association test."

A recent survey of 1,200 employees of British companies by CentralNic, a London-based domain-registration company, showed half used passwords related to family -- passwords based on names, nicknames or birthdays of partners, children or pets.

Sometimes passwords can be cracked by security consultants with what is known as a "brute force" program, which may try every possible six- or seven-character combination. But in reality what emerges from the human mind is seldom truly random. So the more efficient computer programs systematically use extended dictionaries.

In an effort to mimic human behavior, many of the most powerful password-cracking dictionaries add twists beyond simply suggesting a word. They experiment with first and last names, sports teams, fictional characters, numbers, punctuation symbols and foreign-language terms. They reverse the spellings, string words together, substitute zeros and ones for the lowercase O and L and try popular keyboard sequences like qwerty.

They know how you think

At a million password attempts per second, password scanners used by today's security companies can be very efficient. In the typical corporation with 10,000 employees using Microsoft Windows, 20 to 50 percent of the Windows passwords could be determined in the first 20 minutes with an extended word-list attack, and 90 percent on the first day by adding a brute-force attack, said Chris Wysopal, director of research and development for (at)stake, a security company based in Cambridge, Mass., that produces a popular Windows password-auditing tool called LC3.

Less than one-tenth of all users, the most security-conscious, pick passwords based on random or semi-random sequences of letters, numbers and symbols. Even when people do use symbols, the most popular ones are the exclamation point, the dollar sign, the ampersand and the "at" symbol, Wysopal noted. The brute-force algorithms take this tendency into account, leaving more unusual characters like the tilde until the end.

Passwords, the "open sesame" of a computerized world, are thus the sieves of computer security. "When insiders go bad and want to steal information, a password attack is a very common thing," Wysopal said.

A systems administrator at a company that made employees change passwords every two weeks found that about 80 percent of the time, users either taped their passwords underneath their keyboards or used a variation on the date on which they were last required to change passwords.

Just call me 'studmuffin'

"God," "sex" and "money" are among the most popular passwords for those who are unschooled in computer security. At, a shopping site with more than 20 million users that is popular with middle-aged women, the most popular password was "love."

Younger users tend to use self-laudatory terms. At a Web site that had 2.5 million registered users with an average age of 25, popular passwords were "stud," "goddess," "cutiepie" and "hotbod."

"There were so many 'studs,' it wasn't even funny," said Andrew Prihodko, a former technologist for the site, which he requested not be named. He said that male users tend to use words related to masculinity or profanity.

"Even though passwords are supposed to be absolutely secret, it's almost as if people are trying to show off with their passwords," said Petrie.

Trying to be clever, people will sometimes take cues from computer messages like "Enter your password now" or "The password is incorrect" and select passwords like "now" or "incorrect," said Gary McGraw, chief technology officer at Cigital, a software risk management company.

Spy or security-related terms like "secret" and "password" are popular, too.

"I thought I had a brilliant idea," said Guillemette Faure, a French journalist living in New York who used "password" for three years. "But then I read somewhere that it was very common."

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.