What’s your password?

Are you on the list?

This website is fascinating.  I found it through the Spark Minute, a great blog on social media by David Spark. Some people might say that it was a bad idea for someone to publish a list of the top 500 passwords used on the internet where it can be seen by ANYONE.  Believe it or not, it can be good for a website, and users, to see the most common passwords used on the internet.  But sharing passwords publicly sounds evil! Why is this good…? Let me share a few thoughts.

If you are the head of security for a website and you have access to the top passwords on the internet, you could look for bad guys who are guessing those top passwords on your site and prevent them from stealing accounts.  You could also strongly encourage your users not to use those passwords – making your users less vulnerable to having their accounts stolen than the users of other sites.  These tactics would go a long ways towards reducing fraud loss and increasing trust with users.

If you are a consumer and you happen across this list of passwords, you might think twice about using something published as a “bad idea”. Maybe you realize “dragon” (#7) is not nearly as secure as you thought it was, this list might encourage you to be a little more creative and use a less common password.  A little self-realization can create positive behavior changes for internet users.

This is all for the greater good of the internet, right?  Of course, by publishing this list, some people will say that these people are exposing the top passwords to the bad guys…

News flash: the bad guys already have this list! They have been phishing passwords and accumulating statistics on them for years.  I’m sure they know changes to the most popular passwords long before the good guys do.

What this really points out is how much information the bad guys have compared to the information the good guys have.  For example, because of compliance and other regulatory issues, it is extremely difficult for websites to understand the most common passwords on their site.  When working security for a website, it is extremely valuable to understand the common passwords on the site.  And yet, it is very difficult to get that information.  Worse yet – it would be very beneficial to know the common passwords on the internet (e.g. the published top 500 passwords) in order to look for those passwords and warn legitimate users on your site.  And yet, websites guard this information as if it is a national treasure.  Doesn’t that make the good guys inherently less equipped than the people they are fighting?  Shouldn’t websites do more to share information like this to help each other fight the common cause?  It’s time the good guys start working together as much as the bad guys. Join the fight against business process abuse!

January 8, 2009 Posted by Sherrick Murdoff | Fraud, Online Fraud, Prevention | password, Prevention, social media | 1 Comment