Although weak and commonly used passwords have long been one of the most used venues to compromise accounts, they remain at the top of the most popular passwords charts, a recent Keeper Security report reveals.
Last year’s mega-breaches once again brought to the spotlight the long-lasting issue of weak passwords, but users remained deaf to security community’s cry for better password hygiene. By the end of the year, “123456” remained the most used password, as 17% of all users out there have been “safeguarding” their accounts with it.
A series of massive data breaches made public last year demonstrated how important the use of strong, complex passwords is. These hacks included Dropbox (68 million accounts impacted), LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), Last.fm (43 million), and VK (170 million) in early summer, followed by Yahoo! (500 million) in September (the company revealed in December that one billion accounts were impacted in another incident).
If 2016 taught us anything is that the recipe for disastrous account security consists of a weak password and the reuse of this password on multiple services. Attacks on Carbonite, GitHub, Netflix, Facebook, GoToMyPC, Reddit, TeamViewer and Twitter have already proven that cybercriminals are aware of this practice and are quick to exploit it.
While companies such as Amazon and Microsoft were quick to react to the disturbing news, the former by prompting password resets for users whose accounts were compromised in other hacks and the latter by banning commonly used passwords from its services, users are still at risk, as most services fail to take stance and continue to allow users secure their accounts with weak, easily guessable passwords.
According to Keeper Security, the ten most used passwords in 2016 were:
Keeper Security’s report (PDF), which was compiled after the analysis of 10 million passwords, also reveals that the top 25 most popular passwords are used to secure over 50% of accounts. Some of these passwords are popular because they are used to secure accounts created by bots, but all of them can be cracked within seconds with the use of dictionary-based cracking tools.
Some users, the report reveals, attempt to secure their accounts by employing what they believe would be unpredictable patterns, such as “1q2w3e4r” and “123qwe,” but the wide-spread use of these passwords make them easily predictable as well. What users should do to ensure increased account security is to employ complex passwords and a password manager, so they can have a different password for each of their accounts.
“I can tell you for a fact that without a password manager nearly everyone I know re-uses passwords. Otherwise you have dozens if not hundreds of passwords you need to try and remember. Obviously that won’t work,” Rafal Los, Managing Director, Solutions R&D within the Office of the CISO for Optiv, notes in a SecurityWeek column.
He also points out that service providers shouldn’t focus on policies that force users to use complex passwords and maybe reset them often, but rather on building a good authentication hygiene to drive healthy behaviors in users.
“So, the problem to solve: rather than trying to figure out how complex you can make password requirements before your users revolt is how to maintain good authentication hygiene while driving healthy behaviors from your users. We’re going to be living with passwords for a very, very long time whether you want to admit it or not. Let’s address the root cause of the problems we’re seeing and start being seen as leaders,” Los says.