Simple Passwords Remain a Security Concern
February 1, 2016
Research has revealed the most popular passwords of 2015. We shouldn’t be surprised, but disappointingly, some simple and easy to remember (or guess) passwords once again top the list. And yes, ‘password’, ‘123456’ and ‘qwerty’ are still the most common. The data shows again, as if we need reminding, that passwords are a liability, and alternative methods need not just exploring but implementing too.
The research was carried out by SplashData. They analysed all the leaked password data from 2015 they could find. It’s a task they take on every year. You can check out the full list here. My personal favourite this year, not that I recommend using it, is ‘letmein’. Morgan Slain, CEO of SplashData, said:
“We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers. As we see on the list, using common sports and pop culture terms is also a bad idea.”
Passwords are no doubt a liability in security solutions – they are all too often the means in which hacks are carried out. Hackers can sometimes hack into companies and discover passwords in plain text – like in the cases in this research. They can also phish for them – which involves socially engineering and tricking users into revealing their password. And they can often use the leaked password for one account to cause damage elsewhere, because in reality, using unique passwords for every different site or account a person has is not easy or convenient.
The password issue is hardly a new problem but we need new ways to resolve it. The standard way to tackle it has been for organisations to demand more complex passwords from their users, always with the advice: use this password here and nowhere else.
It could be argued this, kind of advice has done all it can by now. The solution to the problem needs to be taken out of the hands of the user.
How big is the problem?
Consider this. SplashData’s research in some ways inflates the problem. It’s hardly news that ‘123456’ or ‘password’ are still the most common passwords. What else would it have changed to over the years? Something has to be top and it’s hardly going to be your unique password that’s based off your favourite childhood TV program – Sp0nGeB0bReCTAN6lePANt5s was never going to be top.
In fact, out of the 2 million passwords analysed – the top password, ‘123456’ made up 1 percent of the data. The top 25 passwords together represented just 3 percent. That equates to 60,000 of the 2 million passwords analysed. It’s a minority using the most disastrous of passwords. Not that I’m suggesting the other 97 percent of passwords were brilliant uncrackable enigmas.
It’s also a safe assumption that a large proportion of the passwords leaked and analysed are from websites where security was not a high priority to the users or the host. Organisations that value security don’t store passwords in plain text. It’s very unlikely these passwords represent online banking log-ins or sites that need payment information. At least I hope not. The number of people using these top passwords would presumably be reduced if we were exclusively looking at something such as Amazon log-ins.
My point is, user education is reaching its limit as a solution to the problem. Awareness can only be raised so much about good security practices. I mean, you’re confronted with it each and every time you create a new password. I think it has reached a large majority of internet users. But there is a section of users that the message hasn’t got through to and I don’t think ever will.
Nevertheless, even if it is only a small percentage of users who are endangering themselves with terrible password choices, we still need to solve the problem. The best way to do this is to start really pushing for multi-factor authentication, and even better, the kind that takes advantage of biometrics such as a fingerprint.
If log-in requires a fingerprint scan, we do almost literally put the security into the users’ hands, but in a way that is far more secure than simply leaving it up to their, apparently limited, imagination. When biometrics are used correctly, hackers can’t hack a plain text document. They can’t phish for it in an email and they can’t guess it, like they could a simple password.
We are a big proponent of multi-factor and biometric authentication in our identity management solution. We believe it gives organisation the best of both worlds – allowing for both secure and convenient access control solutions. We certainly believe it’s time we by-pass passwords alone. Find out more here about how BioStore approaches secure access control using multi-factor authentication.