The 25 worst passwords of 2019, and 8 tips for improving password security

CSO Online Security

Security / CSO Online Security 43 Views 0

Pop quiz: What has been the preferred — and subsequently least secure — password yearly since 2013? Should you answered “password,” you’d be shut. “Qwerty” is one other contender for the doubtful distinction, however the champion is probably the most primary, obvious password conceivable: “123456.”

Yes, tons of individuals nonetheless use “123456” as a password, in response to SplashData’s top 25 most common passwords. It ranked second place in 2011 and 2012 and has been primary yearly right by way of 2019. SplashData’s listing is predicated on the company’s evaluation of hundreds of thousands of passwords leaked on the internet.

Plenty of different epically insecure passwords proceed to make SplashData’s annual password hall of shame, together with the aforementioned “password” (all the time within the prime 5, and No. 1 in 2011 and 2012); “qwerty” (all the time in the prime ten); and a slightly longer variation of the reigning champ, “12345678” (all the time in the prime six).

“Disappointingly, there are not any huge variations between current worst password lists and this yr’s,” says Morgan Slain, SplashData’s CEO. That’s as a result of the passwords on the lists are principally generated by shoppers who continue to stick with passwords which might be simple, straightforward to remember — and subsequently are far too simply hacked, he says.

Worst passwords of 2019

Listed here are SplashData’s most popular, least safe passwords of 2019.

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 1234567
  6. 12345678
  7. 12345
  8. iloveyou
  9. 111111
  10. 123123

Other worst password lists from NordPass and the U.K.’s National Cyber Security Center are principally in line with SplashData’s findings. And a comparison to SplashData’s 2018 listing exhibits not much change yr over yr. 

worst passwords 2018 2019 SplashData / IDG

We’ve also requested cybersecurity specialists for their ideas on the issues with enterprise passwords, the right way to improve password and authentication security, and the potential for a “passwordless future.”

The problems with enterprise passwords

Companies are growing using multi-factor authentication (MFA) and single sign-on (SSO) providers to bolster safety. Nonetheless, Too many staff “still have poor password hygiene that weakens the general security posture of their company,” in accordance with the 3rd Annual Global Password Security Report (2019) from LogMeIn.

It’s no marvel why many staff have password fatigue, which in turn results in lax password security. LogMeIn’s report finds that users at larger corporations (1,001 to 10,000 staff) have on common 25 passwords with which to contend. The issue is more acute for customers at small companies (25 or fewer staff), who have on common 85 passwords to juggle. Staff in the media/promoting business use the best number of passwords — 97 — on average, compared to 54 passwords per employee in government (the sector with the lowest average number of passwords per employee).

“Passwords have historically been the primary line of defense for corporations, but they continue to cause frustration and danger,” says John Bennett, common manager of id and access management at LogMeIn. “Much more, password sharing and reuse remains a standard apply in most businesses, with staff reusing one password a mean of 13 occasions.”

Shadow IT presents another problem. “One of many largest problems plaguing enterprise password security is shadow IT, wherein staff use third-party apps, providers and units with out IT oversight to more efficiently do their jobs,” says Matt Davey, chief working officer at password administration software program company 1Password. “As staff proceed to seek out their own productiveness hacks, the ‘clear up your personal drawback’ mentality leads to unseen passwords that haven't any IT oversight.”

All informed, the password drawback brings vital risks to enterprises. Verizon’s 2019 Data Breach Investigations Report finds that 80% of knowledge breaches may be traced to weak or compromised passwords.

How you can enhance enterprise password safety

Require using a password manager 
Password management applications for business users (reminiscent of 1Password, Dashlane and LastPass) are an effective first step toward decreasing safety dangers associated with passwords, notes Dr. David Archer, principal scientist of cryptography and multiparty computation at safety analysis and consulting agency Galois. He recommends having enterprise users leverage password managers to generate and store prolonged passwords with all alphabet options (corresponding to mixed-case letters) turned on. With a password manager in place, users ought to have only two passwords they should keep in mind, he adds: the password to the password supervisor app and the password to the pc account a consumer logs into daily.

Require using MFA
MFA elements embrace what you already know (a password), what you've (a device, reminiscent of a smartphone), and who you're (a fingerprint or facial recognition scan). Using MFA to require verification, similar to a code sent to a cellular system, in addition to using robust, distinctive passwords, might help present higher enterprise safety, says Justin Harvey, international incident response lead at Accenture Safety.

Don’t let customers create passwords with dictionary phrases
In a brute-force dictionary assault, a felony uses software that systemically enters every phrase in a dictionary to figure out a password. To thwart such attacks, many specialists advocate towards using words that exist in a dictionary.

Steer customers away from passwords that embrace information about them
Don’t use the names of a partner, pet, city of residence, birthplace or another personally identifiable info in a password, as that info could possibly be deduced from the consumer’s social media accounts. “A hacker is more likely to guess your ‘pet’s identify + 1234’ as your password than they are to figure out that your password is ‘D2a5n6fian71eTBa2a5er,’” says Davey.  

Educate customers on what makes a password protected
A protected password doesn’t seem anyplace else within the public realm (reminiscent of in dictionaries), doesn’t appear anyplace in personal (comparable to other accounts customers have), and incorporates enough random characters that it might take an eternity to guess the password, even when utilizing brute-force or rainbow table methods, says Archer.

Repeatedly perform password audits
Ideally, your group should use an authentication system that permits for password audits, says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Middle (CyRC). “Search for things like password reuse across staff or use of widespread phrases or widespread words with easy character replacements. For those who uncover a weak password, use the occasion as a learning alternative for users.”

Don’t villainize errors
Create an setting by which staff feel snug raising questions or considerations about security, particularly if they think they could have slipped up, suggests 1Password’s Davey. “Don’t villainize individuals,” he says, because they could be afraid to inform you once they’ve made a mistake. “If you recognize about security points as they come up, you possibly can act shortly to deal with the initial menace and take steps to stop it from occurring in the future.”

Require customers to generate passwords with all the character varieties
This consists of upper- and lowercase letters, numbers and symbols, advises Shayne Sherman, CEO of on-line know-how knowledgebase TechLoris. “Use an algorithm that compares passwords to users’ earlier passwords to stop incrementing.” 

The passwordless future is imminent — or is it?

In the close to future, will considerations about weak and powerful passwords develop into irrelevant, because of various forms of authentication corresponding to biometric facial and fingerprint scans? Some cybersecurity specialists don’t purchase the passwordless dream. “I don’t assume we’ll ever be utterly freed from passwords,” says Mackey of Synopsis CyRC. “Even when single sign-on or social media authentication paradigms are used, there remains a have to determine a consumer. Whereas biometric options supply promise, such options are greatest employed as a further think about a multi-factor strategy.”

Biometric authentication has its drawbacks, provides Juniper Networks’ International Security Strategy Director Laurence Pitt. “One disadvantage to biometrics is that they can be stolen simply as easily as somebody can steal your credit card,” he says. “Another disadvantage is that there are different environments by which these authentication strategies just aren’t feasible. This will lead individuals to default on password-only authentication, which isn’t enough.”  

Web of Things (IoT) units add yet more complexity to the hope of a passwordless future, says Assaf Harel, chief scientist and co-founder at Karamba Security. “These units often come with easy-to-guess or search default passwords. So, they will develop into a playground for a lot of botnets, similar to Mirai, that search for a passive fleet of units to serve their distributed denial of service campaigns. IoT units require a recent look into the best way to integrate multifactor authentication into single-purpose units to make botnet recruitment efforts rather more troublesome.”

Yet, some specialists predict we’re on our strategy to a passwordless future. “Change takes time, however I wouldn’t be stunned if we ultimately reside in a passwordless world,” says Peter Purcell, co-founder of EVAN360, a distant know-how help platform. In the meantime, Purcell says security measures corresponding to face and fingerprint scans, USB safety keys and voice biometrics will more and more give enterprises extra advanced consumer authentication.

For instance, Purcell points out that in 2017, Google started requiring all staff to make use of physical safety keys instead of passwords and one-time codes. The company reported one year later that none of its staff had been successfully phished in consequence.

Biometrics “will certainly free us from passwords and make authentication easier and extra reliable,” adds McAfee CIO Scott Howitt. “Prior to now, the problem with biometrics, comparable to facial recognition, was the amount of pc horsepower wanted to run techniques like that. At this time, these techniques run within the cloud and are fast and efficient. The hot button is that biometrics have to be straightforward to use as well as dependable. Customers have to have the ability to belief that no matter biometrics they setup truly work to make their lives simpler fairly than harder.”

Finally, the transition to “really passwordless authentication is going to be a journey,” says Jim Ducharme, RSA’s vice chairman of id and fraud and danger intelligence merchandise. “In the present day, all passwordless authentication is rooted and reliant on a password and username for account enrollment and restoration. Whereas passwordless authentication reminiscent of face and fingerprint ID is widespread on many units, accounts are still established with a password, and in case your gadget is misplaced or stolen, the account is recovered utilizing a password.”

To realize a passwordless world, then, we'd like an strategy that considers credential enrollment, restoration and methods for users to securely authenticate on units that don’t help biometrics or Quick Id Online (FIDO) capabilities.

“These new strategies of authentication, combined with more secure enrollment and restoration mechanisms, and layered with risk-based authentication, are the keys to eliminating using passwords utterly,” Ducharme says. “Or a minimum of, they’ll permit us to dramatically scale back the complexity of a password to look extra like a simple four-digit PIN.”

Copyright © 2020 IDG Communications, Inc.