I posted this on the Tech@FTC blog this week about why mandatory password changes may be counter productive:
I’ve been collecting images of all the cool things that I and others have made with my bad password fabric. The fabric is available from Spoonflower in three size and both with and without the naughty words. It has a purple background and includes 501 passwords. Spoonflower offers a variety of different kinds of fabrics, including a performance knit, basic cotton, and faux suede. They also will print this design on wrapping paper and wall paper.
Recapping for those who are just seeing this, I designed a series of bad password fabrics based on the most popular passwords stolen in a Rockyou.com data breach. First I made a “Security Blanket” quilt printed on basic cotton fabric in pastel colors. This quilt appeared in Science Magazine and was on display at the residence of the Carnegie Mellon University president for most of last year. Then I designed a purple version of the fabric and made a password dress with performance knit fabric. The dress has gotten some nice press on CNET, the Trib, and the Women you should know blog.
Then my friends started requesting other password apparel. Mary Ellen Zurko commissioned my friend Jen Primack of Upcycled Designs to make her a t-shirt from cotton knit fabric. Then Jeremy Epstein asked for ties, and we found Jen Knickerbocker of LoveCrushDresses and got her to offer regular ties and bow ties in her Etsy shop. The ties are made from cotton sateen.
Then Jen Primack bought an old chair and reupholstered it with my passwords fabric in heavy cotton twill. Doesn’t it look great in my living room?
Kristin Briney emailed me to tell me she had made a password dress from cotton poplin. And I just made a password infinity scarf from silky faille (a woven polyester).
Password baby quilts and couch throws made out of kona cotton are coming soon….
In the mean time, I’ve gotten many requests to wear the password dress to events. I wore it to give an invited talk at the 2014 Grace Hopper Celebration of Women in Computing (where I was referred to as a “password researcher and fashion idol“). I also wore it to a couple of briefings I gave to Congressional staff on Capitol Hill.
And for those wondering about the different types of fabric. The polyester fabrics are much brighter than the cottons. They are all fairly consistently bright with nice saturated colors. My favorite is the performance polyester, which doesn’t wrinkle and has a little bit of stretch and a nice drape. But it’s not really what you want to use for a quilt or a tie. The kona cotton is a little disappointing because the colors print a little dull. The basic cotton (which is similar to the kona but slightly lighter weight and less expensive), cotton sateen, and the heavy cotton twill produce brighter colors. They aren’t as bright as the polyester, but they are noticeably brighter than the kona cotton. The cotton silk also does not produce bright colors. I think the polyester silky faille might work well for ties and some other applications where you might otherwise use a woven cotton but want brighter colors. It’s a little slippery and harder to work with than cotton though. I got samples of the polyester faux suede and polyester eco canvas. They are both lovely bright fabrics, but I haven’t made anything out of them yet.
1/22/15 update: Von Welch, Director of the Center for Applied Cyber Security at Indiana University Bloomington wore his Password tie for a local TV interview. The reporters loved the tie and commented on it at the end of the interview.
2/6/15 update: Baby quilt in kona cotton finished!
7/16/15 update: I made a password bolster pillow for the CMU ECE department head’s conference room.
6/28/20 update: Given current circumstances, password masks were required! I printed my design XX small on cotton spandex jersey and lined the inside of the mask with fabric from an old cotton spandex t-shirt (outer layer and lining each cut 10.5 x 5.5 inches; sewn together at top and bottom; left and right sides folded in and stitched to make a casing on each side; long 1-inch strip of stretchy t-shirt fabric pulled through the two casings and tied to make 2 loops to go around the back of the head). Spoonflower also sells masks already made (and lots of other things) for those of you who don’t sew. This link at Spoonflower might work: https://www.spoonflower.com/en/products/2126447-bad-passwords-clean-edition-xxsmall-by-lorrietweet?product=homegoods-kitchen-dining. See also the images and links at https://www.secmeme.com/2020/06/bad-passwords-face-mask.html.
I’m really excited that my Security Blanket quilt won honorable mention in the International Science & Engineering Visualization Challenge and is featured in an article in the February 7 issue of Science magazine. No, they don’t have a category for quilts, but that didn’t stop me from entering (and winning).
The quilt is currently on loan to Carnegie Mellon University, and is being displayed in the home of our university president. My daughters and I stopped by a couple of weeks ago to check it out.
Science also did a little profile of me in their Career Magazine.
And for those of you who want to make your own security blankets, pillow, ties, curtains, or dresses, I now have a few different versions of purple “bad password” fabric available by the yard at Spoonflower.com (update: you can get ties made from this fabric too!). You can order it on wrapping paper or wall paper too. I have small and large versions of the print, with and without the naughty words. (The quilt includes all the naughty words for authenticity.)
This is old news, but just now getting around to posting it. I made a password dress to go with the password quilt. I wore it to the opening of the Computers, Quilts & Privacy show and to give my artist’s talk. I also wore it to a faculty meeting and disrupted the meeting.
As with the Security Blanket quilt, I generated a Wordle from the RockYou password set, and then edited it in Adobe Illustrator. I selected brighter colors for the dress and had it printed at spoonflower.com on performance knit polyester fabric (UPDATE: You can purchase similar fabric on spoon flower that I created and ties made from this fabric on Easy…. and read about lots of other passwords stuff made by me and other people) I made my own pattern by tracing a store-bought dress I own that fits me well. It is just two pieces of fabric. The only tricky part was finishing the neckline and arm holes. I bought a double needle and used it to do the hem. This was my first foray into sewing with knit fabric.
And here are some more photos from the Computers, Quilts & Privacy show at the Frame. There is also a video of my talk that I will post after it is edited.
As I’ve been thinking about quilt ideas related to security and privacy during my staybatical at the STUDIO for Creative Inquiry all year, the title for this quilt was obvious: Security Blanket. Less obvious was the design of a quilt that would fit this title. Ultimately, I took inspiration from the research on the security and usability of text passwords that I’ve been working on with my students and colleagues. While this quilt started out as an art project inspired by my research, what I learned from creating it will likely influence my future password research.
Our research group has collected tens of thousands of passwords created under controlled conditions as part of our research. Among other things, we have compared these passwords with the archives of stolen passwords that have been made public over the past few years. Perhaps the largest such archive consists of 32 million passwords stolen from social gaming website RockYou and made public in December 2009. These passwords are notably weak, having been created without the requirement to include digits or symbols or even avoid dictionary words. Security firm Imperva published an analysis of these passwords. More recent analyses of stolen passwords have found that passwords stolen in 2012 are pretty similar to those stolen in 2009.
The media had fun publishing the most common passwords from the RockYou breach. As with other breaches, password and 123456 figured prominently. But after you get past the obvious lazy choices, I find it fascinating to see what else people choose as passwords. These stolen passwords, personal secrets, offer glimpses into the collective consciousness of Internet users.
I asked my students to extract the 1000 most popular passwords from the RockYou data set and provide a list to me with frequency counts. I then went through the list and sorted them into a number of thematic groups. I assigned a color to each group and entered the passwords with weights and colors into the Wordle online word cloud generator. I then saved the output as a PDF and edited it in Adobe Illustrator to rearrange them in a shape that I liked, with some pairs of words purposefully place in close proximity. I designed a border, and had the whole thing printed on one large sheet of fabric by Spoonflower. When the fabric arrived, I layered it with batting and quilted it. I bound it with matching fabric from Spoonflower that I designed.
Sorting 1000 passwords into thematic categories took a while. While a number of themes quickly emerged, many passwords could plausibly fall into multiple categories. I tried to put myself in the mindset of a RockYou user and imagine why they selected a password. Is justin the name of the user? Their significant other? Their son? Or are they a Justin Bieber fan? Is princess a nickname for their spouse or daughter? The name of their cat? Their dog? (It shows up frequently on lists of popular pet names and a recent surveyfound that the most common way of selecting a passord is using the name of a pet.) Is sexygirl self referential? What about daddysgirl? dreamer? genius?
When I didn’t recognize a password I Googled it. Most of these unknown passwords turned out to be ways to express your love in different languages. For example, I learned that mahalkita means I love you in Tagalong. Love was a strong theme in any language; there seems to be something about creating a password that inspires people to declare their love.
Not surprisingly, the top 1000 passwords list includes a fair share of swear words, insults, and adult language. However, impolite passwords are much less prevalent than the more tender love-related words, appropriate for all audiences.
There are a couple dozen food-related words in the top 1000 passwords. The most popular is chocolate and most of the others are also sweets (and potentially nicknames for a significant other), but a few fruits and vegetables, and even chicken make their way to the top as well. Among fruits, banana appears in both singular and plural.
Animals are also popular. While felines appear on the password list in a number of forms and languages, monkey is by far the most popular animal, and the fourteenth most popular password. I can’t quite figure out why, and I don’t know whether or not this is related to the popularity of “banana.”
Fictional characters are also popular, especially cartoon characters. The twenty-fifth most popular password is tigger (which might also be on the list because it is a popular name for a cat). A number of super heroes and Disney princesses also make the list, as well as another cartoon cat, hellokitty. Real life celebrities also make the list, including several actors and singers. While at first I thought booboo might refer to the reality TV star Honey Boo Boo, I realized that the date of the password breach predates the launch of that TV show.
A number of passwords relate to the names of sports, sports teams, or athletes. Soccer-related passwords are particularly popular. There are several cities on the list that I’m guessing were selected as passwords because of their sports teams, especially soccer teams.
Besides the obvious lazy password password, and also PASSWORD, password1, and password2, some more clever (but nonetheless unoriginal) variations included secret and letmein. And I love that the 84th most popular password is whatever.
Some passwords puzzled me. Why would anyone select “lipgloss” as their password. Why not “lipstick” or “mascara”? Perhaps it refers to a 2007 song by Lil Mamma? Why “moomoo”? Why “freedom”?
Even more popular than the word password were the numbers 123456, 12345, 123456789. Other numbers and keyboard patterns also appear frequently. When I laid out the 1000 passwords on the quilt, I scaled them all according to their popularity. The most popular number sequence was chosen by more than three times as many people as the next most common password and was so large that I decided to place it in the background behind the other passwords so that it wouldn’t overwhelm the composition.
I made a few mistakes when designing the quilt that I didn’t notice until I was quilting it (quilting this quilt provided an opportunity to reflect on all the passwords yet again as I stitched past them). One problem was that when I transferred the top 1000 password list to Microsoft Excel while categorizing the passwords, the spreadsheet program removed all the zeros at the beginning of passwords. As a result there are three passwords that are actually strings of zeros (5, 6, and 8 zeros) that are printed simply as 0. In addition there are three number strings that start with a 0 followed by other digits are printed without the leading 0. Another problem was that the color I selected for jesus, christian, angel, and a number of other religious words blended in with the background numbers when printed on fabric, making those words almost invisible (even though they showed up fine on my computer screen). I had carefully checked most of the colors I used against a Spoonflower color guide printed on fabric, but had inadvertently forgotten to check this particular color. I reprinted about half a dozen of these words in a darker color and sewed them onto the quilt like patches that one might add to repair a well-worn spot.
There are also some passwords that I colored according to one category, and upon further reflection I am convinced more likely were selected for a different reason and should be in a different category, but we’ll never know for sure. I invite viewers to discover the common themes represented by my color-coded categories and to speculate themselves about what users were thinking when they created these passwords. Zoom in on the thumbnail images above to see all of the smaller passwords in detail.
The colors, size, and format of this quilt were designed to be reminiscent of a baby quilt, which I imagine might become a security blanket. Like the passwords included in this piece, a security blanket offers comfort, but ultimately no real security.