Passwords such as 123456789 or a similar use of numbers, Premier League football team names or a common first name, or even the word ‘password’ are all easily exploitable passwords, the National Cyber Security Centre (NCSC) points out. It released its survey done jointly with the Department for Digital, Culture, Media and Sport, ahead of the NCSC’s CYBERUK 2019 conference in Glasgow.
First in terms of the Premier League teams in the ‘table’ of passwords used to breach accounts was Liverpool, then Chelsea and Arsenal. Fourth was ‘manutd’ and ‘mancity’ in eleventh. Most common overall are chains of numbers, above all 123456, or 123123, or six zeroes; or qwerty as per the keyboard, or ‘iloveyou’, or some easily guessed combination such as 123abc, or slight variations such as gwerty123. For the ‘top 100,000’ click here (which does not include Premier League clubs ‘bournemouth’ and ‘huddersfield’. To download the file, you can do so here: PwnedPasswordTop100k.txt.
See also the NCSC blog.
Dr Ian Levy, NCSC Technical Director, said: “We understand that cyber security can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable. Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band.
“Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.”
“The compromised passwords were obtained from global breaches that are already in the public domain having been sold or shared by hackers.
“The list was created after breached usernames and passwords were collected and published on Have I Been Pwned by Troy Hunt. The website allows people to check if they have an account that has been compromised in a data breach. Troy Hunt (who’s due to be inducted into the Infosecurity Europe exhibition hall of fame, and to speak, on Thursday, June 6 at London Olympia) said: “Making good password choices is the single biggest control consumers have over their own personal security posture. We typically haven’t done a very good job of that either as individuals or as the organisations asking us to register with them.
“Recognising the passwords that are most likely to result in a successful account takeover is an important first step in helping people create a more secure online presence.”
Comment
Nabil Hannan, managing principal at Synopsys, said: “With many password leaks on the internet, organisations are starting to realise how important it is to store passwords securely in their applications. Storing passwords securely is not as simple as it might seem at first. The themes I’m seeing in the industry are:
People are moving away from just username and password model (1 factor) to a 2 factor authentication model to protect their users in the case that their passwords get breached.
Social logins are gaining popularity and becoming easier to integrate and organisations are leveraging social logins to make signing up/authentication easier for the end user.
On the organisational side, practices around the usage of strong passwords, regularly having users change their passwords, and making sure passwords are stored securely are important things to keep in mind.
“On the end user side, smartphones, tablets, and personal computers have software available where they’ll manage/synchronise your passwords across devices (Apple’s iCloud Keychain, Google Chrome’s password manager, etc.). There are also other paid password managers that end users can use. This allows them to let the password manager generate strong and unique passwords, and manage them across the end users different user accounts and machines.
“Although using passwords may not be the most secure way of authenticating, it’s simple, and people have gotten into the habit of understanding how to use the combination of username/password to authenticate. Eventually, passwords will become obsolete, and new authentication techniques leveraging social logins, single-sign-on, and biometrics will starting gaining more traction. Ultimately which solution is adopted in the future will depend on which solution the end users end up using the most.
Storing passwords securely is challenging because it’s not quite as straight forward as just hashing or encryption the password and storing it. Passwords are just like any other sensitive data/asset of the software ecosystem. In order to design a system securely, organisations have to do the necessary business analysis to understand the importance of the data, do threat modelling to understand what controls need to exist to protect the data from threat actors, and then ensure those controls get included in the software requirements so that they actually get implemented and tested as part of the secure SDLC.”
