Adobe was hacked recently and of course someone smart is going to analyze the data to find insights. My favourite one was the top 20 passwords used by Adobe users.
38 million records were lost by Adobe, though the original number was said to be 2.9 million. 1.9 million people used 123456 as their password!
Here’s the image he included with his post:
Yes, people are stupid and these are ludicrously bad passwords. Shame on them.
But shame on Adobe for allowing users to set these kinds of passwords in the first place. Regardless of the hack, these are easily guessed passwords and could have led to account compromises without too much work.
“Shame on Adobe for allowing users to set bad passwords”? I disagree completely.
If I want to set an insecure password to protect my not-very-important data, then why can’t I? Shame on Adobe for not educating people on how to pick a good password, sure. Shame on Adobe for not seeding their password hashes. But shame on them for not forcing me to pick a 27-digit password comprised entirely of special characters? Come on.
Allowing a user to set a password that is basically inviting account compromise is bad customer support.
I’m not saying that it needs to be something that’s super-complicated, but you should protect against these kinds of common passwords being set by anyone.
1) Adobe should make every effort to properly secure the passwords they store
2) Adobe should strive to educate their users on picking strong passwords and proper account security
And assuming points 1 & 2 are fully implemented:
3) Adobe should let me make my own *informed* choices, even if that means choosing an idiotic password
Admit it: your password is 12345.
For Adobe, no. For my luggage? “Remarkable!”
I use complex and unique passwords on each site because I’m not a moron, and I use a password manager to keep track of it all because I’m lazy. Educating users on setting up and using these types of things should be the responsibility of any web-based company that wants to keep their customers happy.
What worries me is somebody getting into either my password manager or my email account, because those can be used to attack all my other accounts. But that’s why I’ve got two-factor authentication turned on for everything I possibly can.
Talk about bad customer service: one of the major password manager vendors makes you pay to upgrade to a premium account before you can use two-factor auth! Jerks.
I agree with the “shame on Adobe” statement. it isn’t anything to set basic requirements in your coding. Of course, this is coming from the same company that forces absolute positioning in the CSS code their Photoshop CC outputs.
Blaming customers is also bad customer support. The ones to blame are us, the entire software development industry, for not providing sane, universal authentication.