123456 Shouldn’t Be Your Password

PASSWORD BEHAVIOUR HAS A CORRELATION to age—the older you get, the less you worry about making passwords strong; instead, the main concern is to remember them. Ask senior citizens in your fam­ily how they choose passwords and you can make a calculated guess that many do it based on the name or date of birth of someone close to them; often, it would be children or grandchildren. They usually also use one single password for all accounts. Hackers are aware of this predictability making this category especially vulnerable to cybercrime. But it would be wrong to ass123456 Shouldn’t Be Your Passwordume that the rest of the population fare much better when it comes to passwords.

NordPass, the password manager company, comes out with a study every year that looks at the habits of individuals on this front. Recently, the one for 2023 came out and it had some startling revelations, just like the previous years. The study “evaluated a 4.3TB database extracted from various publicly available sources, including those on the dark web.” So, these were real passwords used by people. The most remarkable finding was that over 4 million users from their sample had “123456” as pass­words. And if you are one of them, then NordPass also estimated the time that it would take for a hacker to crack your account: less than one second. Many years back, the No 1 rank for the most common password had been the word “password”, it­self a delight for hackers. It was still there in the top 10 list, but now stood at No 7. At No 2, just below 123456 was “admin”, followed by “12345678”, “123456789”, “1234”, and “12345”. Every password in the global top 10 most popular passwords could be cracked in less than a second.

NordPass classified password behaviour countrywise, too, and for India, it was not very different. From the sample, as many as 3,63,265 Indians used “123456” as their passwords. Extrapolate it to the general population and this number would be many times more. All the other usual suspects were there in the Indian list’s top ones with some additions like “Pass@123”, “Admin@123”, and “India@123”. Earlier, other studies, too, had found password behaviour worrying among Indians. For instance, in 2017, tele­com firm Telenor India had done a survey that found almost every urban school student used the internet and over half of them had weak passwords, which was defined as less than eight characters and having only numbers or alphabet letters. A report on it in Electronics Media said: “Additionally, 54.82% children share their passwords with their friends, family or relatives, hence creating a threat to their digital security. The WebWise survey was done in 13 cities and covered 2700 students…The study found that over 35% children have experienced their account being hacked while 15.74% shared that they have received inappropriate messages.” So, from the very young to the very old, everyone is in danger of getting hacked unless attention is paid to making strong pass­words and, yet, only a fraction do.

Passwords came into existence along with computer sys­tems. And then immediately there was its first breaching and all of this happened more than 60 years ago, at the beginning of the computer age. In 1961, the Massachusetts Institute of Tech­nology came out with a time-sharing operating system, the first one where multiple people could work together. It was also the first time passwords were used so that people could access their own files separately and also apportion time because it was in short supply for access. A blog in the tech newsletter The FusionAuth said: “It didn’t take long for the first password sys­tem to be hacked. According to ThinkSet Magazine, one of the graduate students, Allan Scherr, wasn’t happy with the limits on his computer time. He needed more time to do his research, and felt he should have it. In 1966, he discovered that he could print out files, including the master password file, with a system request. When Scherr did that, he obtained access to all the pass­words of all the users on the system. Scherr didn’t keep these pass­words to himself, however. He shared the printouts with others to make it more difficult to track him down.”

Since then, the complexity of passwords has increased but so also the availability of tools to crack them. About 10 years ago, the technology website Ars Technica did an experiment in which one of its writers, Nate Anderson, who had no experience whatsoever in hack­ing passwords, decided what would happen if he tried his hand at it using freely available resources online over the course of a single day, and it was a resounding and worrying success. He wrote: “At the beginning of a sunny Monday morning earlier this month, I had never cracked a password. By the end of the day, I had cracked 8,000. Even though I knew password cracking was easy, I didn’t know it was ridiculously easy—well, ridic­ulously easy once I overcame the urge to bash my laptop with a sledgehammer and finally figured out what I was doing.” Two months later, Wired magazine repeated the experiment using the same list that Ander­son used but this time with experts in the field, which is what the average hacker would be. And they found the success rate even better. The Wired article said: “While Anderson’s 47-percent success rate is impressive, it’s minuscule when compared to what real crackers can do, as Anderson him­self made clear. To prove the point, we gave them the same list and watched over their shoulders as they tore it to shreds. To put it mildly, they didn’t disappoint. Even the least successful cracker of our trio—who used the least amount of hardware, devoted only one hour, used a tiny word list and conducted an interview throughout the process—was able to decipher 62 percent of the passwords. Our top cracker snagged 90 percent of them.”

Many years ago, the no 1 rank for the most common password had been the word ‘password’, itself a delight for hackers. It was still there in the top 10 list, but now stood at no 7

Share this on

Why do people still choose to have such ridiculously simple passwords? Ease of remembering, for one. But such convenience is also a danger to be wary about. All experts agree that one of the worst mistakes one can make is to have the same password for everything. If it gets cracked, then the hacker has total access. You need an ultra-strong password for each of your accounts, which means a long combination of numbers, letters, and symbols. The hard way to do it is to make them yourself and then note them down somewhere. But there is an easier way by using any of the numerous password managers available online. They do the work for you by coming up with strong passwords and main­taining the record. You just have to remember the one password that will get you access to the password manager. A few such trusted password managers are 1Password, Bitwarden, Dashlane, NordPass, but there are many more, some free, some paid. Even spending a reasonable amount for a password manager is worth it considering the protection you get. There are also built-in pass­word managers within your own browsers that are totally free. They might not have as many features as the others, but are good enough to serve the purpose.

The second simple thing that every­one should be doing, and many don’t, is to go to settings for applications and turn on the two-factor authentication. This option now exists almost everywhere, from social media accounts to emails to bank logins. In two-factor authentication, even after you en­ter your password, a second password has to be put in, and this is often sent directly to your mail or phone at that moment itself. This means someone already with access to your password still can’t get in. This is a very good method to keep you protected online, doesn’t cost a paisa and the effort required is negligible. There is really no reason to not switch it on.

With every passing year, technology’s role in the life of Indians becomes larger but awareness about its dangers doesn’t catch up at the same speed. Future Crime Research Foundation (FCRF), an NGO incubated in IIT Kanpur with the objective of making Indians digitally secure, recently came out with a whitepaper ana­lysing cybercrime trends. In a category called Online and Social Media Related Crime, a substantial component was found to be through hacking of profiles and identity theft. The report noted: “Profile hacking and identity theft involve unauthorized access to personal online accounts or stealing individuals’ personal in­formation for malicious purposes. The relatively high percentage indicates that cybercriminals continue to exploit vulnerabilities in online profiles, possibly due to weak passwords or insufficient security measures.” Passwords can be the gateway to take over a person’s life and keying in 123456 is like unfurling a red carpet for any hacker who wants to do this.

About The Author

Madhavankutty Pillai

Madhavankutty Pillai has no specialisations whatsoever. He is among the last of the generalists. And also Open chief of bureau, Mumbai  

•