The Security Mentor

We used to quip that "password" is the most common password. Now it's "password1." Who said users haven't learned anything about security?

From security guru Bruce Schneier. He does go on to analyze the rest of the passwords, many of which were halfway decent.

I like to fill in the holes in other people's work or point out errors when I cite them. Can't do that here. It's too good an analysis.

In case you were wondering, though, the reason he points out the fraction that consisted of dictionary words plus one number ("cookie2" for example) is that the automated password guessing programs run through every word in the dictionary plus small changes to every word in the dictionary. They check for dictionary words with single numbers at the end. It's only ten times as many things to try. A password like that will fall before the password guessing program has finished its first second of rumtime.

Were you wondering where all the passwords came from? They were the 100,000 MySpace passwords captured by someone who put up a fake login dialog. There's a lesson there.

It doesn't matter how good your password is if you type it in to the wrong place.