Machines don’t guess.

It’s hard for many people to understand how account hacking works. “How can someone guess my password that’s comprised of my kids’ names? It would have to be someone who knows me, and I add a number at the end to make it even harder.” Using your kid’s names is sure to create a weak password but if I were to try to guess your password I wouldn’t have much luck so it’s hard to demonstrate that [4]. The basic problem at work here is the “faulty analogy” fallacy. Things that look alike must be alike.

We’ve all seen humans attempt to guess various things in our lives so we know guessing is error prone and inefficient. We therefore assign these difficulties to machine guessing and arrive at the incorrect conclusion that guessing is universally hard and therefore we don’t need strong passwords and we certainly don’t need to bother with having different passwords on different sites.

The specific fallacy here is that machines don’t guess.

Machines don’t need us

The implementation of a user interface (UI) is one of the last things that is done prior to a device shipping to market. The UI is the thing that we humans interact with to use the machine. It is the layer that gives the machine a way to send and receive data from us two-eyed, two-eared, 10-fingered life forms. It’s almost a pity layer. We’re so slow and limited that the eager machine has to add a slow and limited set of buttons put on it for us to interact. Slow and limited we may be, but we’re also the only one with money to buy things, so the machine grudgingly gets over it. Grudgingly, because it doesn’t give up its fast and smart machine layer when the human UI is bolted on. It lurks beneath working non-stop which infers that you can also choose to bypass the UI and communicate with the machine at its own level if you have the skills and desire.

In some sense, that is what hacking is. It’s the ability to subvert the intended interaction method (the UI) to get at the machine below. In the case of account hacking the goal is to copy account usernames and passwords from the machine. Most websites have protections at the UI level to prevent attacks such as repeated attempts to guess passwords. If you were to go to your bank website and input an incorrect set of credentials repeatedly your account would eventually be locked out and your IP address temporarily blocked. If machines had to use that same human UI with all its safeguards in place then they’d have the same problem. It’s much easier for me to try to steal a copy of the user database and download it to my own machine. I then have access to the user database without all those UI constraints and can just hack away at it at my leisure to try to derive all the username and password combinations within.

User database breaches are legendary these days. The Have I Been Pwned website verifies and catalogues these types of breaches and has almost 2 billion accounts listed so far. If you consider that only about 3.5 billion people even have access to the Internet, that’s a lot of data breaches [1]. And most of these breaches are for sale. Multiple times.

That brings us back to your password.
Continue reading “Machines don’t guess.”

Proper names in the top 10,000 most commonly used passwords

This post came from data I compiled for some other post and I thought it was interesting enough to keep. Out of the top 10,000 most commonly used passwords in this list at the time of this writing, in the top 100 are these 30 names.

Let me say that another way: 30% of the most common passwords on the entire planet are these proper names. Stop using names, people: