When it comes to password hygiene, many of us are still ignoring the basics.
Password management specialist, SplashData has released its eighth ‘Worst Passwords of the Year’ list: a roundup of the most commonly used and easily guessable passwords. The list is based on an evaluation of more than 5 million passwords leaked on the internet (passwords relating to hacks of adult sites are not included!).
It’s estimated that 10 percent of internet users are guilty of using at least one of the top 25 most popular passwords. 3 percent of people use the very worst password: ‘123456’.
Extremely lazy numerical and keyboard patterns feature heavily in the list (e.g. ‘qwerty’ and ‘abc123’). Obvious phrases are popular too; prominent examples of this include ‘password’ and ‘iloveyou’.
Celebrity names have always been a popular go-to source of passwords for many hapless users. Combine this with a little bit of social profiling and you’ve got a problem: (tip: LionelMessi10 is never a good choice; doubly so if your Facebook page is full of Barca-related posts). Along these lines, the US President will doubtless be flattered by this year’s most noteworthy new entry on the list: it seems that ‘donald’ is currently the 23rd most popular password.
The top 25 worst passwords
Here’s the 2018 list (with changes from the previous year’s list)...
1. 123456 (Unchanged)
2. password (Unchanged)
3. 123456789 (Up 3)
4. 12345678 (Down 1)
5. 12345 (Unchanged)
6. 111111 (New)
7. 1234567 (Up 1)
8. sunshine (New)
9. qwerty (Down 5)
10. iloveyou (Unchanged)
11. princess (New)
12. admin (Down 1)
13. welcome (Down 1)
14. 666666 (New)
15. abc123 (Unchanged)
16. football (Down 7)
17. 123123 (Unchanged)
18. monkey (Down 5)
19. 654321 (New)
20. !@#$%^&* (New)
21. charlie (New)
22. aa123456 (New)
23. donald (New)
24. password1 (New)
25. qwert123 (New)
How a bad password leaves you exposed
The whole point of a password is to put in place a barrier between a hacker and the network, system, device, program or account you want to protect. So the more obvious the password, the weaker that barrier. Here’s a closer look at how you’re exposed…
Beware brute force attacks...
When it comes to system infiltration, you are not simply dealing with an intruder manually trying out different password combinations. You are far more likely to encounter a brute force hacking attempt. With this type of attack, the hacker uses a cracking tool to work through various combinations of usernames and passwords until a combination is found.
There are several common flavours of brute force attack (all of which are made a lot easier where the type of password listed above is used!):
- Dictionary attack. The hacker works through a long list of possible passwords and tries them all. You can filter this quite substantially by making certain assumptions about the type of user you are targeting.
- Credential recycling. The attacker gets hold of intel on passwords and usernames from other breaches and uses this data as a basis for a fresh attack of their own. It can often yield results because so many of us are guilty of recycling login details for multiple accounts.
- Reverse brute force attack. Let’s say that the hacker wants to infiltrate a big company. Of all the users on the network, they take a bet that at least a few of the network users will be dumb or lazy enough to have the likes of ‘123456’ as their password. Drawing from information from the likes of LinkedIn, they attempt to match possible usernames to this popular password.
Time for a password hygiene check?
Obviously, you would never use a ‘qwerty’ type password – and neither would you forget to swap out the factory default logins on your devices and peripherals. But one of the biggest challenges of working in cybersecurity involves policing the behaviour of other users. Ensuring good password hygiene is a big part of this.
Here are some tips for getting it right…
Have a clear policy in place
Typically, this might include the following:
Length and characters. We recommend passphrases of 12 mixed type characters. (It takes less than a second to crack ‘123456’; in theory, it takes years to cold crack a 12-character mixed phrase).
An example of a very strong passphrase is "You miss 100% of the shots you don’t take." With a Massive Cracking Array (Assuming one hundred trillion guesses per second) it would take 3.73 hundred billion trillion trillion trillion trillion centuries to crack.
Uniqueness. Where users duplicate identical passwords for multiple tools, a single hack could provide a way into multiple systems. Insist on a different password for each log-in.
Safe password management. Leave it to non-technical users to set their own passwords, and there’s always ‘that guy’ who will lapse into using the type of guessable patterns that dominate the SplashData list. With a password manager tool, you can generate secure random passphrases – and organise & store them securely at admin level.
Recommended password managers include;
- LastPass - Most functionality with browser integration but highest attack surface.
- KeePass, KeePassX, KeePassXC - Moderate Functionality and moderate attack surface. (What's the difference between KeePass, KeePassX and KeePassXC?)
- Master Password App - Least functionality and lowest attacker surface.
Fit-for-purpose authentication: time to look beyond the password...
Let’s say one of your network users is tricked into disclosing a password via a phishing attempt; your assets are exposed no matter how ‘strong’ the password happens to be. Alternatively, let’s say you are hit by a brute force attack; in which case, If the password is poorly hashed, sooner or later, the password is going to be cracked…
You cannot rely solely on passwords to keep your assets safe.
For one thing, you should be looking at the type of security information and event management (SIEM) tools that can alert you of the fact that someone somewhere may be attempting to pick your locks - i.e. successful and failed logins from unfamiliar endpoints.
Where appropriate, you should also be looking at fitting a double lock on the systems under your watch. We’re talking here about two-factor authentication (2FA); incorporating a second step in the login process such as a soft token like a Time-based One-time Password algorithm such that is offered by Google Authenticator, a hardware token, a biometric check or even a SQRL.
Want to find out more about how to get authentication right? Here’s your next step...