Computer Security: When “123456” is insufficient

Following malicious hacks and the subsequent publication of “The Mother of all Password Dumps” containing more than 226 million unique e-mail addresses and passwords, several security companies wondered again about the naivety of humankind, the recklessness of digital natives and the incapability of human brains to memorize passwords. Indeed and in fact, the passwords that were most prevalent in the aforementioned and other similar dumps were just too easily guessable:

  1. 123456
  2. 123456789
  3. picture1
  4. password
  5. 12345678
  6. 111111
  7. 123123
  8. 12345
  9. 1234567890
  10. senha

Blame the users!

But it is not that simple. Unfortunately, internauts using today’s World Wide Web are asked on every corner to register even when accessing the most trivial information: newsletters, downloads of free software, etc. Before being able to read a news article or launch a download, the website asks you to provide a username, e-mail address and password. Even if you won’t come back a second time. Those passwords are just simple handles, tokens, with no real protective purpose as there is nothing to protect; they are purely for the sake of registration. For those cases, the simplistic passwords above are perfectly fine as there is nothing valuable to protect. You might even put some randomly typed letters as a password and forget about it, taking advantage of the “reset my password” procedure should you ever come back.

Alternatively, and even better for such cases, you can use the “save password” functionality integrated with your browser. For example, Firefox recognises password fields and whenever you register for a new account it will propose a randomly generated password, which it will remember for you in its built-in password manager. Other web browsers may have similar features. Or you can sign in with your Facebook or Google account* – something that more and more websites are allowing.

However, where you have confidential data to protect (i.e. your photos, documents, etc.), like on Facebook, Dropbox or at CERN, where financial data is a stake (e.g. with Amazon or your bank), where you communicate privately with your peers (think of Instagram, Signal, Twitter), or where you handle any other kind of valuable information, a strong, long, complex and complicated password is a must. The larger the variety of letters, symbols and numbers, the better. Ideally, your choice of password cannot be found in any dictionary (of any language) nor easily guessed by, for instance, appending “2021” for the year. Replacing “E” by “3” or “S” by “5” to obfuscate your dictionary word does not help, as password-cracking tools take such variations into account. Instead, your best choice is a passphrase, i.e. a sentence of words like “InXanaduDidKublaKahnAStatelyPleasureDomeDecree!” or a mathematical formula like “a^2+b**2=sqr(c)” – unleash your creativity. Some more password recommendations can be found on the CERN Computer Security team’s homepage. And if all else fails and your brain tissue gets soft and grey, think of using a good password manager!

The CERN Computer Security team will continue to analyse any newly published breach of password databases or collection of passwords (the infamous “password dumps”). If these list your CERN e-mail address or an external e-mail address registered with CERN combined with a password or a password hash, you will get a warning that your password has been exposed. Ideally, this notification will also include the origin of the breach, i.e. the website with which that password has been registered. Unfortunately, this is not known in every case – so please don’t ask if this information was not provided in your notification. For many already public dumps, you can check yourself on “have i been pwnd?“.

2021 will also see a further improvement in password usage at CERN. Firstly, CERN is considering ending the requirement to change your password once a year. Instead, the aforementioned notification mechanism will ask you to change your password once your password appears in a breach. And secondly, CERN will further roll out the use of two-factor authentication. But more on that in a future Bulletin article.

*This could be seen as a way of reducing the number of accounts that you need to create but, as is the case with most cloud services, the gain in convenience is usually offset by privacy invasions. Using your Facebook or Google account to log into external services gives these two tech giants even more data to track your online activity.


/Public Release. This material comes from the originating organization and may be of a point-in-time nature, edited for clarity, style and length. View in full here.