The celebrity photo hack underscores one of the Internet's most worrying dangers: Using weak passwords makes you really, really vulnerable. Weak passwords can be guessed by hackers who try every word in the dictionary until they strike paydirt. The problem is so pervasive that some have taken to compiling annual lists of the most commonly used bad passwords.
It shouldn't even be possible for people to select such obvious passwords as "123456" or "password." Some sites take precautions against this, but there's no universal standard. The most security-conscious sites will make you include symbols or numbers in your password during the account-creation process, and won't let you proceed until you've satisfied all the requirements. Even here, though, there's a huge amount of variation in the strength of the requirements themselves.
You may have seen other sites that give you a password strength rating but do little else to nudge you toward a stronger password. Then there are the sites that impose no conditions at all. These are the worst.
What's more, technology exists that could make it absolutely, completely impossible for you to pick a password like "123456."
The idea is to use lists of known, compromised passwords as a bulwark against the kind of brute-force guessing that hackers like to do. These lists aren't theoretical — they are real, and online criminals will use them as a way to make their trial-and-error work a little easier. To use a very simplistic example: If you already know that one person has used the password "qwerty" before, chances are someone else will use it again.
By taking these "password dumps" and integrating them into their account creation tools, Web sites could analyze your proposed password and block you from moving forward if it matches or resembles one already in the dump. Some security researchers say the celebrity photo hack offers sites an opportunity to implement this blacklisting approach to provide another layer of defense against automated guessing attempts.
"Attackers are just way ahead. That has to change," said Dan Kaminsky, who has advised companies like Cisco and Microsoft on information security, in a blog post. "Defenders have password dumps too now. It’s time we start outright blocking passwords common enough that they can be online brute forced, and it’s time we admit we know what they are."
It's still unclear whether the attackers who hit Jennifer Lawrence and other celebrities used trial-and-error tactics that could've been thwarted by password blacklisting. But as 10 million people discover every year, celebrities aren't the only targets. So are ordinary people like you and me.