LulzSec reveals the stupidest passwords on the planet
LulzSec is having quite the week of hacktivist actvity. After launching DDoS attacks against gaming sites' log-in pages, setting up a hotline for requesting hacks and hacking both the CIA and US Senate, the group released a long list of passwords and email addresses it had obtained. Is yours among them? Whew, mine isn't. You should check, too, if using public services like AOL, Gmail or Yahoo.
I'm amazed at the ridiculous passwords people use. A quick search of the 62,000 released by LulzSec finds hundreds of instances of "123456" and "password" as password. There are 28 "11111", more than twice as many "0000" and 20 variations of the "f" word. Then there are the repeaters, like "alex186" for five different email addresses.
Some people could rightly argue that LulzSec is doing a public service by releasing the information. Certainly the hactivist group thinks so, tweeting: "Releasing 62,000 possible account combinations is the loot for creative minds to scour; think of it like digging a very unique mineshaft."
It's more like looking into a unique mindset -- of Internet users that either are too trusting, too naive, too lazy or simply don't know any better. I wonder how much misplaced trust is the problem. In a report released yesterday, Pew Internet observed:
Internet users tend to be more trusting than non-users: 46 percent of Internet users said that 'most people can be trusted.' This is significantly higher than non-Internet users. Only 27 percent of them said that 'most people can be trusted.'
Facebook users are most trusting of all:
A Facebook user who uses the service multiple times per day is 43 percent more likely than other internet users, or three times (3.07x) more likely than a non- internet user, to feel that 'most people can be trusted.'
Perhaps they should trust a little less and think more seriously about username/password combinations.
That's the funny thing. Many of the usernames could make good passwords with a little adaptation. Username "campbelllane01" is much better than the "sunset" password that goes with it. Username "loria_r_18702" would make a better password than its "password". Of course, on email services with hundreds of millions of subscribers, users don't often have much option but to choose odd usernames. It's too bad these services don't force similar complexity on passwords.
Passwords are one of the most important lines of defense keeping cybercriminals from infiltrating PCs or networks and stealing data for profit. Service providers sometimes make it hard for users to create better passwords. For example, my bank limits passwords to 11 characters and restricts to letters and numbers -- preventing me from using symbols and something longer.
The problem is pervasive. For example, earlier this week developer Daniel Amitay revealed that based on usage of his iOS app (since removed from App Store by Apple) that the most common unlock codes are "1234" and "0000".
By the way, LulzSec tweets are a hoot. Some choice ones from the last day:
- "iPhones are disgusting inventions intended to suck your soul and wallet from your person. Use pigeons to communicate".
- "Turtles have DDoS shells and so do we, so naturally turtles are our friends in the world of lizard-splitting Freemason intrusions".
- "@Sega - contact us. We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down".
- "Saying we're attacking Anonymous because we taunted /b/ is like saying we're going to war with America because we stomped on a cheeseburger".
- "Our foreign names are Pierre Dubois and Francois Deluxe, oui oui baguette-crunching shellcode-spouting cyberwizards".
Do yourself a favor and change your password from "password".