Here are the 25 most commonly used passwords for 2014. If your password is on this list, please understand that these passwords are among the first tried when automated password cracking software is used by a cyber-criminal. So if yours is here, change it now.
Passwords are becoming problematic for several reasons. The first, IMHO, is the use of email addresses as the user ID portion of the User/Password duo. The reason for this is that an email address is a unique identity item. I do remember, back in the day, trying to create a unique user name could be a long and frustrating process. Still, it is just too easy to get someone’s email address, and there you are, halfway home. I would prefer to use something that I create as my user name, and I appreciate it when I have that option.
The second reason passwords are not secure is that solving for a password is so easy. Passwords are stored in an encrypted form, but enterprising cyber-criminals have created tables of encrypted possibilities and plain-text solutions, so if I have a new list of password hashes, I can simply compare my encrypted passwords to the table using automated software, and solve for passwords in a few minutes. Even password length matters little if I am just comparing two lists of characters using automation.
So then we move to two factor authentication. Now I need my user name, my password, and in my own case, a 6 digit PIN that is replaced every 30 seconds by Google Authenicator, and displayed on my phone in the Authenticator app. This means that someone who has cracked my password also has to have my phone to log in to many of my accounts. With two-factor authentication I am considerably more secure.
Is there more that can be done? Tomorrow, we will look at another technology making its way into the world of authentication called “adaptive authentication.”