"password1"

In Real-World Passwords, Bruce Schneier analyses a corpus of passwords retrieved from a phishing attack on the MySpace social networking site.

The good news is that it’s clear that users are slowly becoming more aware of the security risks of bad password choice. The bad news is that things haven’t got all that much better, really. Scheier’s punchline:

We used to quip that “password” is the most common password. Now it’s “password1.” Who said users haven’t learned anything about security?

These days, it’s hard for me to get up much enthusiasm for any security solution that involves a lot of user education. As well as the apathy factor and the dancing pig factor, we’re fast outrunning the ability of even the most well educated user to keep up with the bad guys. I include myself with the mass of the bewildered in this respect, as evidenced by my previous post on remembering secure passwords.

The longer term answer to these problems has to involve a move away from relying solely on inherently weak technologies like passwords and towards technologies like multi-factor authentication and federated identity systems. If we don’t have to rely on the human brain’s limited ability to remember lots of secure (and therefore inherently hard to remember) passwords, we might stand a fighting chance of building secure systems.