Monday, June 22, 2015
Network of computer passwords
We all know how painful it is to deal with computer login passwords. Computer administrators keep telling us to have "secure" passwords, and to not reuse them, but of course we ignore this advice. Who can remember all of these passwords anyway? So, we keep them simple, and we reuse them.
The SplashData group, which markets what they call a "secure password and record management solution", provide an annual list of the 25 most common passwords found on the Internet. These are compiled from leaked passwords posted online by hackers. I have looked at the lists for 2011, 2012, 2013 and 2014.
As usual, I have used a phylogenetic network as a form of exploratory data analysis. I first used the steinhaus similarity to calculate the pairwise similarity of the 43 passwords that appear — this similarity ignores what are called "negative matches" (which is important because most of the passwords do not appear in the lists for all four years). This was followed by a Neighbor-net analysis to display the between-word similarities as a phylogenetic network. So, passwords that are closely connected in the network are similar to each other based on their popularity across the four years, and those that are further apart are progressively more different from each other. Those passwords that are in the top 25 for all four years are marked in red.
You will note the similarity among many of these passwords. They are mostly simple combinations of numbers, words, or a row of keys on the standard English keyboard. Obviously, these are not secure passwords.
The numbers one and two passwords for all four years were "password" and "123456", with "12345678" right behind. Oddly, there has been a distinct increase in "1234", "12345" and "123456789" during the years — they are grouped at the bottom right of the network. The passwords grouped at the bottom left have decreased in popularity through time.
Clearly, many people do not take login security very seriously. However, the problem also comes from the fact that system administrators fob the job of security off on the users —there have been many discussions of the lunacy of asking users to use unique "secure" passwords for each and every system (eg. Robert McMillan, of Wired magazine: Do you really need a password you can barely remember?). Indeed, Mat Honan, also writing at Wired magazine, has pointed out that even secure passwords are out of place in the Internet world (Kill the password: why a string of characters can’t protect us anymore). It will be interesting to see what happens next.