Password Fail: Are Your Workers Using 123456? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Applications
News
1/20/2015
04:33 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
100%
0%

Password Fail: Are Your Workers Using 123456?

The 25 worst passwords of 2014 demonstrate once again that people just can't be bothered to take responsibility for their online security.

Google Project Ara: 8 Dev Conference Images
Google Project Ara: 8 Dev Conference Images
(Click image for larger view and slideshow.)

The worst password of 2014 is again "123456," proving that those who cannot remember history are doomed to repeat it -- and to risk being hacked.

How many of your workers are using lame passwords? The annual list of the 25 worst passwords, compiled by SplashData, a Los Gatos, Calif.-based company that provides password management software, is a good excuse for IT teams everywhere to conduct a password audit and provide some basic security training.

For the past four years, SplashData has examined password data made public through security breaches. The 2014 password list was derived from 3.3 million leaked passwords associated with North American and European user accounts.

Every year since 2011, "123456" has topped the list, demonstrating that people just can't be bothered to take responsibility for their online security.

This is evident from a June 2014 article in Canada's Winnipeg Sun that describes how two 14-year-olds hacked a Bank of Montreal ATM, putting it into operator mode "when their first random guess at the six-digit password worked."

Though the article does not specify what this "common default password" was -- you wouldn't want that critical information to become public, you know -- "123456" would be the random six-digit number you'd want to start with, based on historical data.

[ Are burned-out workers to blame for security lapses? Read Burned-Out Workers Are Dangerous. ]

"Passwords based on simple patterns on your keyboard remain popular despite how weak they are," said Morgan Slain, CEO of SplashData, in a statement. "Any password using numbers alone should be avoided, especially sequences."

Among the top 10 most commonly seen passwords, the third, fourth, sixth, and seventh most popular choices (12345, 12345678, 123456789, and 1234, respectively) were all sequences of digits.

If only stating the obvious were enough. The problem is not just that simple numeric sequences need to be avoided. Simple words are bad too. Consider the fact that the second most common password being used (and the second least secure) is still "password," as it has been for the past four years.

Other text-oriented entries in the top 10 were: "qwerty" (5), "baseball" (8), "dragon" (9), and "football" (10).

If that tempts you to lay your head on your keyboard in despair, there is some cause for optimism. According to Mark Burnett, an online security researcher who worked with SplashData, Internet users are moving away from using the 25 most commonly seen passwords. In 2014, about 2.2% of exposed passwords came from the top 25, a lower percentage than previous studies.

In October 2014, the United Kingdom's Home Office found that 75% of Britons don't follow best practices for creating strong passwords. It's more or less the same all over. The reason is largely that strong passwords are hard to remember, particularly for those who regularly access dozens of websites. Ideally, every website should have a different password. Reality is far from ideal, however, and password reuse is common.

If there's an answer to the frailty of human memory, it's to employ a password management app or at least to come up with a mnemonic system that allows you create varied passwords that can each be recalled easily. In addition, using two-factor authentication is generally worthwhile when it's an option.

Does your resiliency plan take into account both natural disasters and man-made mayhem? If the CISO hasn't signed off, assume the answer is no. Get the Disaster Recovery In The APT Age Tech Digest from Dark Reading today. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Angelfuego
50%
50%
Angelfuego,
User Rank: Ninja
1/27/2015 | 9:43:45 AM
Re: memory classes anyone
@Sachinee, I suppose the Excel document suggestion is one way.
Angelfuego
50%
50%
Angelfuego,
User Rank: Ninja
1/27/2015 | 9:13:21 AM
Re: memory classes anyone
@Sachinee, Absolutely! You also have to be careful when you write down your password and where you place the list. Your security can be breached that way as well.
impactnow
50%
50%
impactnow,
User Rank: Author
1/26/2015 | 9:29:13 PM
Re: Password standards

I agree forgot has become my standard since so many of the password standards are maddening one particular company has actually driven me to my phone to pay my bill because it is so maddening!

Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/26/2015 | 9:29:03 PM
Re: memory classes anyone
@vnewman2: It's been made into a book, too!
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/26/2015 | 9:28:07 PM
Re: Password standards
I can't even remember the last time I remembered one of my particular passwords -- let alone what the password itself is (or, for that matter, ever was).  Now I just don't do anything on that website anymore because I got tired of resetting my password and promptly forgetting the new one.
Kelly22
50%
50%
Kelly22,
User Rank: Strategist
1/26/2015 | 4:44:44 PM
Re: Password standards
I feel the same exact way. Every time I sign up for something now, my password has to have special characters, numbers, upper and lowercase letters, a picture... it doesn't end! I get that it's for security purposes, but I end up clicking "forgot password" a lot more than I used to.
vnewman2
50%
50%
vnewman2,
User Rank: Ninja
1/26/2015 | 2:48:54 PM
Re: Password standards
@impactnow "In the last week alone I ran into a website that required 4 digit numbers only, one that required an 8 character password with at least one number and one upper case character, one that required a picture tag and a six digit password, and one that required your new password not be the same as your previous four passwords. Is anyone else screaming in terror yet?"

Yes.  It is maddening and a huge timesuck.  I used to be able to choose from a handful of potential passwords in my head before every website came up with some sort of random naming convention of their own - now I either have to look it up on my spreadsheet or play the "forgot password" game.
vnewman2
50%
50%
vnewman2,
User Rank: Ninja
1/26/2015 | 2:40:48 PM
Re: memory classes anyone
@JoeStranganelli - Clearly the folks at Best Buy don't frequent stuffonmycat.com

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/25/2015 | 7:29:30 PM
Human passwords
Even better human-made passwords are still easily hackable because humans tend to pick predictably patterned passwords.  Some of the best passwords tend to be lengthy and computer generated.  Of course, they're also difficult to remember -- which is why several top security experts these days actually advocate for (not against!) writing down your password...so as to better enable more complex passwords.

Of course, don't write your password on a Post-It that's stuck to your computer monitor...
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/25/2015 | 7:26:58 PM
Re: memory classes anyone
Re: "Cats are not hats"


I beg to differ.  www1.pictures.stylebistro.com/mp/x5iDv6ulAM2l.jpg

 

 
Page 1 / 3   >   >>
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll