A LinkedIn leak lesson: top 30 dumb passwords people still use
Internet users continue to make things very easy for hackers. A close inspection of a portion of the 6.5 million leaked LinkedIn passwords proves people keep making foolish password choices. In fact, the most commonly used phrase in the password set appears to be “link,” according to Boston-based security firm Rapid7, which created a top 30 list for msnbc.com. The list was generated by studying a sample of 160,000 passwords from the 6.5 million that have been released on the Internet.
What hacker would ever guess that your LinkedIn password had the work “link” in it? Answer: All of them.
Second on the list of most common password phrases: “1234.” And because LinkedIn required seven-letter passwords, “12345” wasn’t far behind, either, ranking sixth on the list (123456 was 15th.) Rounding out the top 10 were “work,” “god,” “job,” “angel,” “the,” “ilove,” and “sex.”
“We are seeing a trend of Internet users trying to use simplistic passphrases on Internet sites,” said Marcus Carey, a security researcher at Rapid7. “They are (being hacked) because of the simple fact that many are using words that have been long considered bad passwords. Password-cracking algorithms include these bad passwords as a part of their recipe.”
The top 30 list generated by Rapid7 contains partial passwords used by consumers. In other words, no one used the simple word “link” as a password – it was part of a password, such as “BobLink” or “LinkPass.” That might seem to mitigate the danger, but it doesn’t offer much protection. Hackers spend hours guessing users’ passwords, using tools that brute force their way through millions of combinations. If a hacker knows someone used a seven-letter password, and part of that password is “link,” the bad guy only has to crack what is essentially a three-letter password. That’s exponentially easier. (How much easier? Assuming 94 potential password characters, based on the common keyboard layout, a three-digit password offers 830,000 possibilities; a seven-digit password offers 65 billion possibilities.)
“What people need to understand is that even with trusted sites such as LinkedIn there is still a possibility for massive compromise,” Carey said. “The bigger the site, the more personal information is leaked, and the big boys on the block are the ones who are targeted the most.”
This experiment has been done before. In fact, a company named SplashData compiles a “worst passwords” list annually from stolen passwords. You’ll see a lot of overlap between that list and this LinkedIn list. That means people aren’t learning. To that end, if you use any of the phrases on the list below to build your password, you should know that attaching “!!!” to the end doesn’t make you safe.
It's important to note that even the strongest of passwords provided little defense against the LinkedIn hack (and the subsequently announced eHarmony hack). Bad guys stole password files directly from the companies involved, so even "%R7^Tgh1" ( wasn't safe from their prying eyes. This doesn't lessen the lesson, however. Consumers still should do all they can to protect themselves, and they don't.
Words that are in the dictionary shouldn't be in your password, but unusual characters should be. Names on your Facebook page -- such as your dog's name or high school mascot -- shouldn't be in your password, either. That of course makes remembering your password a challenge, but here's a trick that security professionals recommend: think of a sentence that you can remember, and take the first letter of every word in the sentence as your password. For example: My daughter Julie was born on November 1 would yield a password of "MdJwboN1." Throw in an exclamation point at the end to show your love for your daughter, and you have a pretty strong, unique password.