Following up on a recent post about Ashley Madison users’ password security (or rather lack of it!), we are being treated to more password ineptitude. At the same time, the UK’s GCHQ has published advice on choosing passwords, and points out the futility of complex passwords. The spy agency has recommended that businesses simplify their passwords, suggesting that it is not worth using long, complex ones.
GCHQ would probably chuckle, though, over the password selections made by some of Ashley Madison’s customer’s which have evolved from the ridiculous to the sublime – first batch appeared naively simple, with gems such as “12345”, while latest revelations show users choosing passwords such as “ishouldnotbedoingthis” and “thisiswrong”.
They could probably benefit from the GCHQ’s report, entitled “Password Guidance: simplifying your approach”, which recommends using passwords made only from three random words, and eschewing complex passwords.
But by any measure, the Ashley Madison passwords extracted by CynoSure Prime Industries (CPI) resemble pleas, excuses or admissions, and are not complex – just infantile. As of a few days ago, CPI has cracked over 11 million passwords, and is likely soon to add millions more to that. These reveal a pattern that is startling, amusing, and somewhat pathetic, given the serious nature of what the users of Ashly Madison were about to do…
With entries including “goodguydoingthewrongthing”, “ishouldnotbedoingthis”, “thisiswrong”, and “whatthehellamidoing”, the list suggests some of the people felt guilty about setting up accounts on the site, or at least feigned feeling guilty. Others demonstrated just how oblivious many users were to the weakness of their own passwords. Examples include passcodes such as “thisisagoodpassword”, “thebestpasswordever”, “superhardpassword”, and “mypasswordispassword”. The folly of such password choices reflects the ambivalence felt by users who, wrongly, thought that by just adding a few more letters they were being clever.
Hackers make easy work of even 36 letter passwords if they don’t contain capital letters or numbers in the sequence. In what CPI has uncovered so far, the passwords selected range from, unbelievably, one letter, to 28 characters – the majority all lowercase letters, or lowercase letters with numbers – all very vulnerable to cracking. Another half-million or so accounts were “protected” by a password identical to the username.
GCHQ would hold these up as perfect reasons to heed their advice, not only to thwart unwarranted intrusion, but to simplify life for the user as well. But is GCHQ genuinely interested in your security and ease of use, or are they just encouraging simpler passwords to make their job of surveillance easier?
Hard to tell at this point whether this is the precursor to backdoors. Ciaran Martin, director general of cyber security for GCHQ said: “Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users.” Meanwhile, they extoll the virtue of password managers and two-factor authentication.
That being said, the phrases chosen by Ashley Madison customers seem to confirm GCHQ’s position, and are evidence of how the length is not so important as the variety and diversity of the characters. Curiously, many of the AM passwords fell into subsets.
- Some users reflected the need for a password but not necessarily a clever one. In this category were passwords such as: “superhardpassword” and “thebestpasswordever”
- Some passwords connoted doubt, such as:”ishouldnotbedoingthis”, “thisiswrong”, or the prohesiers who chose: “cheatersneverprosper”
- Some expressed denial when choosing, “justcheckingitout” or “goodguydoingthewrongthing”.
- A frustrated user chose “everynametriedwastaken”
You get the idea.
For what it’s worth, I am happy with my password choices, and feeling good about myself after reading about other’s faux pas. I never want to gloat, but must admit I am enjoying the view into other people’s misery and am glad that I’m not in their shoes.