One of the first steps to practising good cyber security is to have an effective password control policy in place, but a study of 2016’s most common passwords found that nearly 17% of users were safeguarding their accounts with ‘123456’.
Keeper Security‘s study of 10 million passwords that became public through data breaches that occurred in 2016 found that the list of most frequently used passwords has changed little over the past few years, meaning that user education has its limits. While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them.
Four of the top 10 passwords, and seven of the top 15, were six characters or shorter. This is stunning in light of the fact that today’s brute-force cracking software and hardware can unscramble those passwords in seconds. The presence of passwords like ‘1q2w3e4r’ and ‘123qwe’ indicates that some users attempt to use unpredictable patterns to secure passwords, but their efforts are weak at best. Dictionary-based password crackers know to look for sequential key variations. At best, it sets them back only a few seconds.
Email providers don’t appear to be working all that hard to prevent the use of their services for spam. Security expert Graham Cluley believes that the presence of seemingly random passwords such as ’18atcskd2w’ and ‘3rjs1la7qei on the list indicates that bots use these codes over and over when they set up dummy accounts on public email services for spam and phishing attacks. Email providers could do everyone a favour by flagging this kind of repetition and reporting the guilty parties.
We can criticise all we want about the chronic failure of users to employ strong passwords. After all, it’s in the user’s best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn’t hard to do, but the list makes it clear that many still don’t bother.