(Here’s my second in an ongoing series about what we’ve learned by browsing Insedia’s Pitchfork database of 4 billion stolen records. You can read Part 1 here. Visit Insedia.com to read part 2.)
Bill Gates appeared on The Daily Show with Jon Stewart back when Windows Vista was released, and Stewart *almost* got the better of the billionaire. Stewart asked Gates if he had any childhood pets, and what their names were. The Microsoft founder *almost* fell for it.
The joke, of course, lies in the assumption that people often use pet names to make passwords. It’s a tempting idea. Passwords are supposed to be strings of characters that 1) you can remember and 2) are hard for someone else to guess.
One out of two ain’t bad, right?
Pet names are problematic because they are, often, pretty easy for others to guess. That’s because we all can’t help but post 1,000s of photos of Fido (or Whiskers) all over social media. Odds are, if I wanted to know your dog’s name, I could find out in seconds. (I’ll save you the click; Rusty is my dog).
OK, but no one would be silly enough to use a pet’s name as the FULL password, right? (HINT: WRONG! We’ll get to that in a moment).
You might not realize, however, that a criminal who knows even just part of your password will have a much easier time figuring out what the rest of that password is. So-called brute force attacks, in which bad guys try long lists of possible passwords to crack someone’s account, can take a long time. Well-designed sites can stop them by noticing a few hundred thousand cracking attempts and halting the attack. But if a criminal knows several characters of your password, the number of tries needed to guess the rest are significantly reduced. For example, there’s a good chance your password is 8 characters, because many sights require that as a minimum. If your pet’s name is Charlie, well, odds are the hacker knows 7 of 8 characters, making the guesswork quite easy.
We made a similar point in my last column, showing how consumers often build passwords by simply adding a character at the end and then changing that character by increments, as needed. So password becomes Password1, Password2, and so on.
That means any password with the name Charlie in it probably isn’t very safe. (Sorry Charlie. Couldn’t resist.)
There’s another risk when criminals know part of your password. Many organizations use partial passwords to authenticate customers. One web host I know asks for the last 4 characters. European banks sometimes ask for characters 2,3 and 6 of your password. That means, without any cracking at all, criminals with a partial password might very well be able to pass such an authentication test.
All this gave the folks at Insedia and I an idea: What would happen if we sniffed out (couldn’t help, again) common pet’s names in the Insedia Pitchfork database, which contains 4 billion stolen records? Just how many folks really use pet’s names to build passwords?
In other words, was Jon Stewart really onto something?
To examine the problem, we started with the American Kennel Club’s list of 2016 most popular dog’s names. And we ran them through Pitchfork, a database of ~ 4 billion records.
First, we searched for the absurd: Do people really use *only* their pet’s names to protect their own sensitive information? Answer: Yes! Believe it or not, we found 3,014 accounts (including Yahoo and Twitter accounts) that did indeed have as their password “Charlie.” Admittedly, Charlie could be a person in this context, and indeed at least one of the account holders was named Charlie. That’s equally bad. There were also 1,039 accounts protected by “Cooper,” 204 by “Buddy,” 288 by “Daisy,” and 261 by “Bella.” There were even 93 accounts protected by the three-letter “Max” password. Sorry, but that’s not a very good guard dog.
The story got much more interesting when we looked at the partial password problem, however. A stunning 694,000 accounts had a form of the name Max in them. Again, to be fair, Max could be a lot of things, in addition to a dog’s name. Some examples we saw where “Maxima,” “Maxwell,” and “Maxwell1.” Not necessarily dogs. But definitely easy to guess.
Another popular hackable partial password on our list was Charlie, with 10,122 examples. (Charlie1, Charlie12, Charlie14.) Many of these were Yahoo accounts, presumably granting access to personal emails and so on.
Moving down the list, we saw:
- Jack – 23,427 — including one clever soul who used “JackSparrow.”
- Buddy — 4,365
- Cooper — 3267 – including one who’s user name was basically “Cooper.”
- Bella — 7,092 — Often with years attached, like Bella2007 or Bella2012
- Lucy – Ditto, like Lucydog7, Lucy2007
- Daisy — 4274 – If you thought cat owners were too smart to fall for this, we saw “Daisycat1”
- Lola — 2163
- Luna — 3917
To be clear: in this list, we saw passwords that weren’t terrible. For example, some used names as a root, but built them into long strings with special characters and so on. For obvious reasons, we’re not sharing those. But even those carefully-crafted passwords were made easier to crack by inclusion of a common word like a popular pet’s name.
All passwords have weaknesses, so everyone needs to pick their balance point between convenience and security. Choose wisely. If you see your pet’s name in this story, get yourself to your bank website immediately and get a little more creative. But even if your pet doesn’t make the top 10 list of dogs (or cats), you’d be better served leaving your beloved animals out of your passwords. Because I just know you aren’t going to leave pets out of your social media feed.
Follow this story: AlertMe
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, Sign up for my free email list, click on an advertisement, or just share the story.
Yes, pet names make lousy passwords. Bible verses are lousy passwords too, even though the password-strength-o-meter says they’re amazing and awesome and invincible. They’re easy to cycle through and everyone uses the same 22 of them anyway.
Here’s how I recommend making a password, based on advice from the GCHQ (the British NSA). Grab a book. Any book. Flip to a random page. Point to a random word. Do this three more times, and that’s your password. Four random words shouldn’t be all that great of a password but it’s good enough for a few years, and puts you far, far ahead of the people whose passwords are “fluffy” and “John3:16”. Add a number and a symbol if your password-strength-o-meter requires it.