Archives for April 22, 2018

Why So Many People Make Their Password 'Dragon'

Each year since 2011, the security firm SplashData has released a list of the most commonly used passwords, based on caches of leaked account credentials. The annual list, intended as a reminder of humanity’s poor password practices, always includes predictable entries like “abc123,” “123456,” and “letmein.” But one entry, finishing in the top 20 every year, has stood out since the beginning: “dragon.”

But why? Is it because of the popularity of the television adaption of Game of Thrones, which first premiered the same year as the popular passwords list? Is it because so many Dungeons & Dragons fans got their accounts pwned? Well, maybe, in part. But the most convincing explanation is simpler than you might think.

Chasing the Dragon

The “dragon” phenomenon does not appear to be a quirk of SplashData’s password analysis methodology. The creature took the 10th spot last year on another top passwords list, this time created by WordPress platform WP Engine, using data compiled by security consultant Mark Burnett. Dragon doesn’t show up on a 2016 list created by Keeper Security, but that one took into consideration accounts likely created by bots. And the top 100 passwords have stayed relatively stable through the years, largely ruling out a Game of Thrones spike.

“I believe in my book I even listed hundreds of passwords that contain the word ‘dragon,'” says Burnett, whose Perfect Passwords came out in 2005. “People often base their passwords on something that’s important to them; apparently dragons fall into that category. And between D&D, Skyrim, and Game of Thrones, dragons have played a big part in our culture.”

The way researchers examine password data in the first place may also contribute to dragon’s popularity. While tens of thousands of people likely really use it, the kind of password data that researchers have access to comes with some inherent biases. Academics can’t call up a company and ask it to hand over customer passwords, so they instead largely rely on credentials that get hacked and leaked to the public.

That often means sites that have poor overall security—and weak password requirements. “The sites that have the most complicated password policies don’t get leaked as often,” says Lorrie Faith Cranor, a computer scientist at Carnegie Mellon University who has studied password creation in her lab for over eight years. “Dragon” might be disproportionately popular because hacked sites are less likely to require users to include, say, a number or special character in their password.

The type of site a password data set comes from can also skew results. WP Engine examined 5 million passwords believed to be associated with Gmail accounts, for example. The company looked at the associated email addresses and tried to estimate the gender and age of the people who created them. For example, “[email protected]” would be assumed to be a male born in 1984. Using this method, the researchers found that the dataset skewed both male, and toward people born in the 1980s. That’s likely because many of the credentials came from eHarmony and an adult content site.

You can imagine how, in a dataset like this, “dragon” theoretically might appear more often, given how relatively popular The Lord of the Rings, Dungeons & Dragons, and *Game of Thrones are among men in their early-to-mid-30s.

Other kinds of password data bias can be more obvious. In 2014 for example, Burnett helped SplashData compile its annual common passwords list. When he first ran the numbers, he noticed that “lonen0” appeared incredibly high on the list, taking the seventh spot. That happened not because tens of thousands of people suddenly thought of the phrase, but because it was the default password for a Belgian company called EASYPAY GROUP, which had suffered a hack. Ten percent of users had simply failed to change the default password.

Cracking Up

Another reason that “dragon” appears so popular, along with other passwords like “123456,” is that they’re both incredibly easy to unmask. Companies often “hash” the credentials that they store, so that in the event a hacker does access them, they’re harder to access than they would be if they were just sitting out in plaintext. Hashed data is mathematically obscured to look like random strings of characters that humans can’t parse. Some hashing schemes have weaknesses that allow hackers to crack them, but even if hackers can’t expose every password, they can still run scripts to figure out the hashes for the most common passwords. “They are using computer programs that are using the most popular passwords first,” says Cranor.

Despite potential biases, careful researchers like Cranor and Burnett take time to construct their databases as carefully as possible. At this point, so many websites have been breached that they also have very robust datasets to analyze. Still, Burnett says, figuring out the “most commonly used” passwords across the web probably cannot be called a genuine science, due to biases and lack of controls.

Cranor’s research has shown that people choose passwords like “dragon” for the same reason they use common names, like Michael and Jennifer, or beloved activities, like baseball. “One of the things we’ve seen is that people tend to create passwords about stuff they like,” says Cranor. “‘iloveyou’ is one of the most common passwords, in every language.”

In her research, Cranor also wondered why so many people gravitate specifically toward animals and mythical creatures in creating passwords—particularly “monkey,” which like dragon, always ranks highly. During one study she conducted, Cranor actually asked participants who chose the primate to explain why they picked it.

“Basically people said they like monkeys, monkeys are cute,” says Cranor. “Some people said they had a pet named monkey, they had a friend whose nickname was monkey, it was all very positive.”

It turns out many people have chosen dragon for similar reasons. “I started with ‘dragon’ back in the early 90s, and it morphed over time,” one person who uses that password explained to WIRED. “The inspiration for it was a mixture of having played Dungeons & Dragons for 10 years at the time and having just installed Legend of the Red Dragon.” (They have been granted anonymity for obvious, password-related reasons.)

“Passwords, I was told, were supposed to make it hard for other people to get into your accounts, and dragons are big and scary and less common in real life than, like, bears,” another “dragon” user said. “Admittedly I was mostly using very nerdy forums and games and stuff.”

Sometimes, though, the reason you choose “dragon” as your password is just because you’re young, and dragons are, well, really cool. As one “dragon”-user put it: “I was 13 at the time.”

Password Party

After Uber's Fatal Crash, Self-Driving Cars Should Aim Lower

More than a month after a self-driving Uber struck and killed a pedestrian crossing the street in Arizona, it’s still not clear what sort of failure might explain the crash—or how to prevent it happening again. While the National Transportation Safety Board investigates, Uber’s engineers are sitting on their hands, their cars are parked.

The crash and its inconclusive aftermath reflect poorly on a newborn industry predicated on the idea that letting computers take the wheel can save lives, ease congestion, and make travel more pleasant. An industry dashing toward adulthood—Google sister company Waymo plans to launch a robo-taxi service this year, General Motors is aiming for 2019—and now, suddenly, on the verge of being rejected by a public that hasn’t even experienced it yet.

In other words, AV makers are clearing the technological hurdles and tripping over the psychological ones. And it’s important to recognize there are lots of stakeholders here. If these vehicles are to proliferate and change the world for the better, they’ll need support: from the public, politicians, and from regulators.

In defending their technology, the self-driving promoters always resort to the same set of facts. Every year, 40,000 people die on American roads. Worldwide, it’s about 1.25 million. Millions more are left with serious injuries. Robot drivers, who don’t get tired, distracted, or drunk, could stop the bleeding.

It’s a compelling and worthy objective, but one that’s almost impossible for regular drivers to relate to. Road deaths are a problem for society, not for the vast majority of people who aren’t personally affected. Driving is such a quotidian and often necessary task, it’s easy to ignore the risk that comes with every moment behind the wheel. At the same time, crashes are so common, they become background noise—and they get tuned out. Moreover, putting a serious dent in road death numbers would take decades, since robots could have to gradually replace more than a billion vehicles worldwide.

Knocked onto its heels by the Uber crash and the death of a Tesla driver using Autopilot a week later, the robo-car industry needs a win—and a new playbook.

“Trying to boil the oceans, and solve the complete problem all at once, has a high failure rate,” says Timothy Carone, a business professor at Notre Dame and author of Future Automation—Changes to Lives and Businesses. “One key reason that project leaders lose stakeholder support is because they don’t see the benefits clearly.”

Rather than promising to save millions, the developers in Silicon Valley, Detroit, and elsewhere should offer immediate, tangible proof of their value. And no, Waymo, launching a real-deal robo-taxi service doesn’t cut it. “All they’ve proven is that a car can drive itself around Phoenix,” says Carone. “So what? They haven’t demonstrated the value.”

Community Service

Even if Waymo’s service does make roads safer, the problem is that people are no good at recognizing the upsides of things that don’t happen. If it wants to win over a population rattled by Uber’s crash—which surely hurt the reputation of this technology as a whole—it should offer not just a high-tech taxi, but a solution to a discrete, noticeable problem. Take teenage drunk driving: Why not offer a free service for people aged 16 to 25, between 10 pm and 2 am? You’re giving parents peace of mind, knowing their kids have an easy, convenient, way to get home if they’ve been drinking. And maybe collecting some positive statistics in the process.

Here’s another idea for Waymo, Uber, Cruise, and everyone else working on computer driving: Start a shuttle service for people in suburban towns, taking them home from the local train station. It’s an easy to way to solve the last mile issue, especially for people who don’t have cars—and will make the people in neighboring towns eager to have the tech, too.

“If the goal is specific, targeted, and it resonates with your customers or important stakeholders, then they buy into it,” says Stephanos Zenios at Stanford’s Center for Entrepreneurial studies, who teaches successful launch techniques at a “Startup Garage” MBA course. “It has to solve a real problem that someone has, and which is a pain for them.”

The small, driverless, pod-like shuttles which companies like May Mobility are trialing are a sensible solution to mobility in downtown cores. They can pootle around at a safe 25 mph. But to a car driver, used to speed, and flexibility to choose a route, they’re hardly irresistable. What if they made their services more attractive by negotiating with cities to use bus and HOV lanes to save riders time? The results don’t have to be glorious—just tangible and relatable. If commuters save 20, even 10 minutes a day because they get to make part of their trip in an autonomous shuttle, they’re likely to think better of the tech—and vote for the politicians and regulators who support it.

Rocket Science

Carone cites the the SpaceX Falcon rocket program as an example of where this step-by-step tactic has worked to build support. Elon Musk’s company now has launched 53 Falcon rockets, with 51 full mission successes (including one Falcon 9 Heavy), one partial failure, and one total loss of spacecraft.

It has booked more than 100 future launches, signaling that confidence in its tech is strong. That’s because each launch slowly but surely demonstrated the benefits of the SpaceX approach to improve the cost and reliability of access to space. When failures did happen, there were previous successes to confirming the benefits of the approach.

Uber has also seen the benefits of a phased approach in its core business, ridesharing. The app started in 2009 as a way for people to book rides in fancy black cars. It evolved into a peer-to-peer service, a useful alternative to lacking public transit and expensive, hard-to-find taxis. Over the years, it added special features for large groups, kids, people with pets, and riders in wheelchairs. And so when London threatened to withdraw Uber’s licence to operate in the city, more than 850,000 people signed a petition to keep the company around. That’s the kind of support Uber could use now, for its autonomous driving program.

Same goes for Tesla, and other automakers offering semi-autonomous systems that take over the driving task, with human supervision. Last month, a Model X driver using Autopilot hit a highway barrier and died. In response, Tesla wrote a blog post that said, “If you are driving a Tesla equipped with Autopilot hardware, you are 3.7 times less likely to be involved in a fatal accident.” It added that there is one automotive fatality every 86 million miles across all vehicles. In cars with Autopilot, it claims, that plunges to one every 320 million miles.

Those are impressive numbers, sure, but they’re also hard to comprehend. Hardly anyone drives a million miles in their life, so the difference between 86 million and 320 million feels academic. But if Tesla could break down the stats, and told you hey, on this road you drive everyday, cars with Autopilot crashed, say, 20 percent less often than those without, the tech seems a lot more relevant—and more worth the extra $5,000.

Even if it won’t save your life, it could keep you out of a fender bender that makes you miss that meeting and sees your insurance premium skyrocket. “If you do that, it provides policy makers with information and data that says we’re going in the right direction and we’ve saved 50 or 100 lives this year,” Carone says.

Writing in the journal Nature Human Behavior, researchers from UC Irvine say “as with airplane crashes, the more disproportionate—and disproportionately sensational—the coverage that autonomous vehicle accidents receive, the more exaggerated people will perceive the risk and dangers of these cars in comparison to those of traditional human-driven ones.” You don’t win those people back with lofty promises of crash-free roads and millions of lives saved. You do it by making their lives better, one helpful ride at a time.

Driving on My Own