We Find Users’ Lack of Password Security Skills Disturbing

On: January 22, 2016
Password security is by no means a laughing matter, but many will find it hard not to snicker at the entries into the “2015 Worst Password List.”

Password security is by no means a laughing matter, but many will find it hard not to snicker at the entries into the “2015 Worst Password List.”

Security application provider SplashData has released its fifth annual list of the most-used passwords, based on 2 million security keys leaked through the year.

The results are, well, depressing to be completely honest, especially for those in the cybersecurity space.

123456? Really?

For the fifth year in a row, “123456” ranked as the most common entry. Coming in second, again for five straight years, is—prepare yourself for this—“password.”

password security

Password security is just one part of a comprehensive security awareness program. Learn more with our free white paper.

Half of the top-10 most common passwords were strings of numbers, all in numerical order and of varying length. For example, the third most common entry was “12345”, while the fifth was “123456789.” Other entries in the top 10 include “qwerty,” “football,” and “baseball.”

SplashData notes that 2015 saw the debut of some longer passwords, such as “1234567890” and “qwertyuiop”, perhaps in attempt by web users to make them more secure. But, if your password can be cracked by running your fingers along the two top rows of the average keyboard, perhaps you should rethink your strategy. As SplashData CEO Morgan Slain put it in a press release announcing the report:

“We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers.”

Check out the full report here, in easy-to-digest infographic form.

Nothing New

Unfortunately, users have been foolish about password security for a long time. A 2014 report from cybersecurity firm Imperva analyzed 32 million user passwords released after a 2009 breach of social application site RockYou.com.

The Imperva analysis found that these 32 million passwords, of which “123456” was also the most popular, were strikingly similar to a survey of Unix system passwords from the 1990s. The majority of these were also trivial strings of numbers or achingly simple words and phrases like “password,” “iloveyou,” and “princess.”

Excuses, Excuses

There are reasons, of course, why so many of us are so bad at password security. Creating strong passwords that are unique to each account takes real effort. It’s a strain on our memory to keep track of them. And we’re expected to frequently update them? There are just too many!

However, none of that matters (sorry). To ignore the need to create multiple strong passwords is to ignore your part in information security. And neither your personal security, nor the security of your company, can afford for a breach to happen.

Below are seven dos and don’ts for creating and securing stronger passwords.

1. DO: Use Unique Passwords for Home and Work

I know. It’s easier to remember your work passwords if you use the same ones at work as you do at home, and vice versa. But it’s still a very dangerous habit. By using the same password at work and at home, it means that if a hacker was to compromise one network, they’d have access to both. A bad guy who invades your system at work now has access to your personal data—like your bank account or your personal e-mail where other data secrets are stored. Help mitigate the damage by keeping these streams separate.

2. Don’t: Share Your Passwords

Your passwords are like toothbrushes—they’re not meant to be shared. Never give out your passwords online, on the phone or even to friends or colleagues in person. If someone does ask for your password via e-mail, suspicions should arise that it may be a phishing attempt!

Your password is personal, and it’s meant only for your use. Unfortunately, a new survey from Centrify shows that even those who should know better (we’re looking at you, IT professionals) are guilty of sharing passwords and, by default, privileged access. Don’t do it.

3. DO: Create Strong Passwords

Strong passwords are ones that utilize the full range of characters represented on your computer keyboard (mixed-case letters, numbers, and symbols), and are exponentially harder to break than common passwords like, well, “password.” I know what you’re thinking—strong passwords are also impossible to remember, but they don’t have to be. Buffer and InfoWorld have both shared tips on how to create strong passwords you won’t forget. Remember, the longer (and stronger) your password is, the harder it will be for someone to crack.

4. Don’t: Keep Default Passwords

When IT set up your work eimail five years ago they sent you a default password. Did you change it or are you still using that password today?

It’s a good idea to change default passwords as soon as possible to protect security—whether it’s on your work computer or your home Wi-Fi router. . Maybe take care of that today.

5. DO: Change Your Passwords Regularly

Logic stands that the longer you’ve used a password, the more likely it is that it may be compromised without you even knowing it. To protect yourself, change your passwords regularly (like every six months).

6. Don’t: Store Passwords

Many browsers, programs, or web applications will offer to store your password for you so you only have to enter the password once and never again. While seemingly a convenient option, it’s a bad idea to store passwords associated with personal or financial accounts. Virus and/or spyware programs can retrieve stored passwords from these accounts, and use them before you even notice.

While we’re on the topic—it’s also a bad idea to write down your passwords and to store them in common places like under your keyboard, in your desk, or even by taping them to your computer monitor (it happens). If you have to write them down, make sure to keep them in a secure location.

7. DO: Know Your Company’s Password Policy

Many companies will have an official password policy that is meant to help you practice good password hygiene. Seek it out, and make sure you’re following the rules as laid out.

Most of us understand that strong passwords are the first line of defense against a security breach. We also know that creating strong passwords is one small thing we can all do to greatly increase our security. So enough with the excuses—let the dos and don’ts of password security outlined above guide you into better habits.

Want to Learn More?

Check out this TEDx Seattle video for a fascinating look at password security. Data scientist Nick Berry takes an entertaining dive into the characteristics of passwords and password use.

Share this Article

Related Articles

Another Phishy Email
Video: Another Phishy Email
In our white paper, we address three key topics to consider when planning your Tier 4: Adaptive awareness program
White Paper: 3 Questions to Ask When Developing An Adaptive Security Awareness Program
When you begin to estimate the true cost of a data breach, you think in terms of dollars and cents. But what are the other long-term effects of a breach?
Study: The True Cost of a Data Breach
Find out how a company-wide focus on security and zero information loss can yield happier customers, inspired employees, and greater profits.
White Paper: Zero Information Loss: A Keystone Habit to Drive Business Success