Yes, one of them was “password”—and even in 2012 there was no excuse for that.
Half of government and military employees were using easily crackable passwords as of 2012, according to a report released Wednesday.
That’s only slightly better than the 52 percent of the general public that was using passwords that were far too weak at the time, according to the report from the cybersecurity firm WatchGuard.
The report authors analyzed a data dump of about 117 million encoded passwords that were pilfered from the career networking site LinkedIn in 2012 and posted online in 2016. Among those 117 million passwords, WatchGuard found about 350,000 passwords linked with a .gov or .mil email address.
In some cases, the LinkedIn hackers had already decoded those passwords and published them in plain text. In other cases, the passwords were stilled “hashed,” which means they were converted into a long string of characters using a system that is non-random but still supposed to make it very difficult to convert the string back into a plain text password.
The report’s analysis is based on two criteria. For plain text passwords, the authors simply judged them based on common criteria for good passwords, such as how many characters it has and whether it includes wildcard characters such as symbols, numbers and uppercase letters.
For the full set of passwords, the authors tried to convert the hashed strings back into passwords using a custom-made web script.
The authors were able to decode 50 percent of the hashes within two days, the report said, compared to the “weeks to years” that should be required to decode medium-strength passwords and the “many years” required to decode strong passwords.
Among the most common passwords the authors found in the government and military dataset were textbook bad passwords such as “password,” “password1,” “123456,” and “abc123.” “LinkedIn” was also a common password.
The LinkedIn sample may not be fully representative of government and military password practices, the report notes, because many troops and federal employees likely access LinkedIn using their personal emails.
Some of the accounts might also have been dummy accounts that troops or feds set up simply to save their names but entered no real information into, the report notes.
The dataset also, of course, dates to 2012 when concern about data breaches was high but not at the fever pitch it is today.
The damage caused by weak passwords can also be minimized through other security practices, such as setting up two-factor authentication. A common form of two-factor authentication is when a web service texts or emails a unique personal identification number to a user each time she tries to log in on a new computer.