Microsoft researcher Cormac Herley, who specializes in computer security, said based on the lists of stolen passwords he has seen, he suspects that between 0.2 and 0.5 percent of all passwords are the word "password." If that's true, a hacker trying to break into 1,000 different accounts using "password" will likely gain access to between two and five of them.
If you didn't find your password in the above image, don't applaud yourself quite yet. Having a strong, hard-to-guess password can only do so much. "It's definitely better, but it's better against one particular type of attack," Herley said, referring to the "guessing attack" described above in which a hacker tries different username and password combinations to gain access to an account.
"If you inadvertently install something that's a password stealer, it doesn't matter how strong your password is."
Unfortunately, hackers usually take more efficient routes. Sometimes they exploit weaknesses in applications within internet browsers to secretly install keystroke-logging software onto users' computers; other times they create seemingly-innocent websites that lure users to directly reveal their login information. "If you [inadvertently] install something that's a password stealer, it doesn't matter how strong your password is," Herley said.
To protect yourself from these types of attacks, Herley recommends that you run up-to-date software. Hackers often exploit known vulnerabilities in applications like Flash or Java, and the longer a version of a program has been available, the more likely it is that hackers have learned how to break into them. He also recommends installing antivirus software.
Hackers also target servers directly. In 2009, someone broke into the server of the social-gaming site RockYou and released over 32 million passwords, including user login information for partner sites like MySpace. Websites are supposed to encrypt passwords, meaning that rather than storing a user's actual password, they store a "hash"—the result of a specific function calculated on it. But RockYou had stored the passwords in plain text, meaning when hackers gained access to the database they found an easily exploitable list of usernames and corresponding passwords. Herley called this "really, really bad practice."
Although there is no foolproof way to protect yourself from an attack on a server, Herley said you should take measures to ensure that a breach on a low value site does not compromise their security on a more important one. Although creating new passwords for each site you use is sound advice, in practice, people may not be able to choose unique passwords for every single account they have. Herley recommends that users rank them in order of importance—creating a unique password for your email account is likely more important than making five different passwords for five different online magazine subscriptions.
No new technology, especially on that requires a physical device, will ever be cheaper than passwords, which essentially cost websites and users nothing.
Given the various ways in which hackers can exploit traditional password login systems, one may wonder why we still use them. Researchers have proposed and developed new ways of verifying an individual's online identity. Sites could require users to scan their fingerprints or insert personalized smart cards into specialized readers attached to their computers. But Herley said he doesn't see the new technologies replacing traditional login systems any time soon for one main reason: cost. No new technology, especially one that requires a physical device, will ever be cheaper than passwords, which essentially cost websites and users nothing.
He used Facebook's "explosive growth" as an example. The site grew to nearly one million users before it received any big investments, a feat that would have been impossible had authenticating the identity of each user cost even as little as ten cents.
Sites' continued reliance on traditional verification methods does not mean that internet security has stopped improving. Companies are constantly working behind the scenes to augment password systems, implementing new techniques of verifying user identity such as tracking the locations of the computers in which a user logs in. If a website detects something unusual—like a login on a new computer in a different country—it can boost its security by requiring the user to enter additional information, like a code that is text messaged to the number linked to the user's account.
As the methods sites use to protect users' information advance, so too will hackers' determination to crack them. But before you spiral into panic, rest assured that although a spammer might find his way into your Facebook or email accounts, most Internet users will never suffer from a devastating theft of cyber identity. Still, "Anyone who has been online for any amount of time should have their guard up," Herley said. He means you, "password" users.