Interviews

Commonly used passwords

by Mark Rowe

The word password remains one of the most popular passwords, it is claimed.

A Californian password management product company, SplashData, has listed stolen passwords that appeared online. The combination “123456” remains the most popular password among web users, then “password”. The company has found those two to be the most commonly used passwords since their first list in 2011.

This fifth annual list was compiled from more than two million leaked passwords. Some new and longer passwords are coming up; however, so simple as to make their extra length virtually worthless as a security measure, according to the firm.

For example, “1234567890”, “1qaz2wsx” (first two columns of main keys on a standard keyboard), and “qwertyuiop” (top row of keys on a standard keyboard) all appear in the most occurring 25 list; they are each based on simple patterns that would be easily guessable by hackers.

Simple numerical passwords remain common, with six of the top ten passwords on the 2015 list comprised of numbers only.

Sports remain a popular password theme. While baseball may be America’s pastime, “football” has overtaken it as a popular password. And the 2015 new Star Wars film prompted such easy to guess passwords as “starwars,” “solo,” and “princess”. Other passwords found on the 2015 list that did not appear on the 2014 list include “welcome”, “login” and “passw0rd.”

SplashData points out that people choosing weak, easily guessable passwords continue to put themselves at risk for hacking and identity theft. Morgan Slain, CEO of SplashData, said: “We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers. As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.”

Rank Password Change from 2014

1 123456 Unchanged
2 password Unchanged
3 12345678 Up 1
4 qwerty Up 1
5 12345 Down 2
6 123456789 Unchanged
7 football Up 3
8 1234 Down 1
9 1234567 Up 2
10 baseball Down 2
11 welcome New
12 1234567890 New
13 abc123 Up 1
14 111111 Up 1
15 1qaz2wsx New
16 dragon Down 7
17 master Up 2
18 monkey Down 6
19 letmein Down 6
20 login New
21 princess New
22 qwertyuiop New
23 solo New
24 passw0rd New
25 starwars New

SplashData offers three tips:

– Use passwords or passphrases of twelve characters or more with mixed types of characters
– Avoid using the same password over and over again on different websites
– Use a password manager such as SplashID to organize and protect passwords, generate random passwords, and automatically log into websites

For more on SplashData’s last five years of research into commonly used passwords, visit: http://content.teamsid.com/worst-passwords-ebook.

Comments

Javvad Malik, Security Advocate at AlienVault, said: “These password lists illustrate how poor people typically are at choosing and remembering strong passwords. So, they will choose a simple to remember (and type) password and then reuse it on multiple sites. For the vast majority of sites, the password is the only thing separating your private details from the rest of the world. A website or app can have implemented good security controls – but if the user password is weak, then that can undermine everything else.

“The reason why these common passwords are so dangerous is that it gives an attacker an easy way to get into accounts. It’s similar to having a master key that you know will work on at least 10pc of the houses on your street. So rather than having to run a brute force against accounts – trying millions of password combinations to try and get in. I can take a small set of 25 or 50 passwords and try them against all the accounts. I’ll not only have a high success rate in getting in – but it’s more than likely that the same passwords would have been used across different websites.

“This then becomes particularly dangerous as an attacker could take control of your facebook, twitter, email, banking – effectively your entire digital identity with relative ease. Beyond stating the obvious of, “choose a strong password”. The following are some tips users can do to help secure users:

“Use a password manager (Lastpass, 1Password, Keypass etc.) to automatically generate and manage all your passwords. Enable two-factor or two-step authentication where possible. e.g. where you will need to enter your password and a code that is texted to your mobile phone. Some websites will offer additional controls or alerts every time you log on or change any details. Make sure these are enabled and follow up on any suspicious activity.”

And Brian Spector, CEO of MIRACL, said: “These are surely some of the easiest passwords to crack, even for the ordinary kid trying to get into their sibling’s Facebook account. A professional cyber criminal would simply laugh at them. Sadly, even though many people are now using a combination of letters and numbers, or substituting numbers for letters, passwords can’t protect your personal information or data.

“The IT industry needs to get over passwords all together. They don’t scale for users, they don’t protect the service itself and they are vulnerable to a myriad of attacks. However, there are cryptographic security advancements available in the authentication space today, that combine multi-factor-authentication with excellent ease of use that delight customers. These protocols remove all the threats we have become so accustomed to reading about every week. Database hacks, password reuse, browser attacks and social engineering can all be a thing of the past in the authentication space.”

And Amichai Shulman, CTO of Imperva said: “As we pointed out in our Rockyou research, the abundant use of such easy passwords changes the way attackers are looking at brute force. Rather than trying all possible password combinations for each individual account, attackers are testing a small number of common passwords for all accounts, thus they guarantee a good rate of success. In one of Imperva’s recent papers on passwords we showed that the top 5,000 common passwords are used by 20 percent of internet users. This is a staggering success rate for an attacker with almost no cost. In fact, for the Rockyou data set we showed that such an attack would yield one compromised account per ~100 attempts. What this means for enterprises is that attackers can launch brute force attacks that have a smaller network footprint than expected. This essentially means more comprehensive account takeover mitigation measures are required.”

Lamar Bailey, director of security research and development at Tripwire, said: “Common passwords like these are very dangerous because hackers use a technique called a Dictionary Attack to gain access to accounts. This method uses a file of known popular passwords and tries them one at a time until the correct match is found. When popular password lists or credentials from a data breach are published the attackers update their list to move the most popular passwords to the top of their dictionary. Users should never use any password published in a top password list, using a password manager that auto generates obscure passwords is much safer.”

Jonathan Sander, VP of product strategy at Lieberman Software Corporation said: “What computers are good at is taking clear instructions and sets of data to run through repetitive tasks in an automated manner. What could be simpler for an attacker than to take a list of the most common passwords and let a computer loose with the instruction to try these passwords everywhere it can connect to and report back every time it works? Today’s bad guys are automated. They leverage the power of computing to the highest degree. If you use any of these well-known passwords then you’ve made sure they will get into your account if they touch it. Many feel that they are not a target so it’s OK. But automation doesn’t care who you are or how little you have in that online bank account. Automation will simply see if it can get in, and may even be smart enough to drain that little bit in the account. At the end of the day, the automated bad guy has a fat account filled with all the little amounts drained from all the folks who didn’t think they were targets and used bad passwords.”

Mark James, security specialist at ESET said: “Passwords will always be the single biggest failure point of any network or login and it makes no difference how good your internal procedures are, or how tight your rules and policies are configured, if you’re using weak or easy passwords, you are already on the easy target list. We often hear about data breaches and ask the usual questions around whether the data was encrypted, but it makes no difference if the user is already authenticated due to you using inadequate login credentials. Simple password cracking procedures will take data that has been hacked and leaked, match it against a known word and bingo they now have your password. The hacker will then take those details and try every known online financial login and it’s quite possible they’re going to get a match. Easy to guess passwords have been around for a while, when you are forced to enter log in details for every site you visit sooner or later if you’re not using a password manager or algorithm you’re going to duplicate passwords, you may even suspect it’s not important enough to have its own unique password so 1234567 will do, the bad guys have access to the same lists we do, when passwords appear in these lists they will be in the top most data used for brute force matching, time is important when you’re trying to guess someone’s password, so they want to get it done and move on to the next one as quickly as possible, bear in mind if your using any of these passwords it won’t take a hacker minutes to guess your password, not even seconds, it will take them less time to find your password than it did for you to enter it.”

Craig Young, security researcher at Tripwire, said: “Industry best practices dictate that web site operators obfuscate passwords so that they cannot be recovered in the event of a breach. For a properly secure site, this means that an attacker with access to read from the password database can only check if a particular password is correct. If an account is set to use one of these common passwords, the attacker will likely guess it in seconds thereby undermining the security measures taken by the site.”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing