Passwords really are just a nuisance – for you and Cybersecurity professionals. We’ve written about plenty of security-related topics in this blog and nothing makes people’s eyes roll more than the need for unique passwords across all of your online accounts. “Use a Password Manager to make the job easier!” we said… “No”, says just about everyone.
Unique passwords are a good idea because if one online system gets compromised, you won’t be granting easy access to another service. Check out what happened on the day Disney+ launched, all because so many people re-used their passwords.
So what’s the most popular (i.e. lease secure) password EVERY year since 2013? No it’s not ‘password’, that comes in at number 4. ‘qwerty’ is only at number 3. No, the champion of passwords is in fact ‘123456’. And its longer cousin comes in at number 2 ‘123456789’ according to SplashData’s top 25 most common passwords. SplashData’s list is based on the company’s analysis of millions of passwords leaked on the internet.
Some other highlights of the list include:
46 – nothing
40 – secret
24 – password1
14 – admin
8 – iloveyou
Clearly there’s a lot of romantics out there. Or maybe the people using that password are talking about Netflix? Who would know.
The problem with the list is that there’s no real change happening year-on-year with the list. For the best part of a decade simple passwords like these on the list have been found as the most commonly used in all data breaches.
Worst passwords of 2019
Here are SplashData’s most popular and therefore least secure passwords of 2019.
Compare this with other password lists from NordPass and the U.K.’s National Cyber Security Center show very similar findings. And a comparison to SplashData’s 2018 list shows not much change year over year.
Could we one day see a “passwordless future.”?
The problems with enterprise passwords
Businesses are increasing the use of multi-factor authentication (MFA) and single sign-on (SSO) services to bolster security. Nonetheless, Too many employees “still have poor password hygiene that weakens the overall security posture of their company,” according to the 3rd Annual Global Password Security Report (2019) from LogMeIn.
- 89% of consumers felt secure with their current password management and use habits
- however 61% used the passwords across multiple sites
Which age range re-used passwords the most? The answer may surprise you…
How many accounts does the average person have?
11% use the same password across ALL of their accounts.
49% re-use their passwords only for ‘non-sensitive’ accounts.
40% reckon they never reuse their passwords.
What about Multi-Factor Authentication (MFA)?
48% use it.
33% don’t know what it is.
“Passwords have traditionally been the first line of defense for companies, but they continue to cause frustration and risk,” says John Bennett, general manager of identity and access management at LogMeIn. “Even more, password sharing and reuse remains a common practice in most businesses, with employees reusing one password an average of 13 times.”
All told, the password problem brings significant risks to enterprises. Verizon’s 2019 Data Breach Investigations Report finds that 80% of data breaches can be traced to weak or compromised passwords.
Top tips to improve enterprise password security
Require the use of a password manager Password management applications for business users (such as 1Password, Dashlane and LastPass) really are the best method at present to reduce the risks that passwords pose to an individual and organisation. Password Managers are low-cost and easy to roll out, giving users the ability generate and store lengthy random passwords. You can also add a layer of Multi-Factor Authentication on top of the Password Manager to further secure your password vault.
One password to remember is a lot better than 130.
Require the use of MFA As above, if MFA is available for an online system that you use – please, please turn it on! You have a smartphone so use it as your MFA token along with your super-strong password. Nothings is 100% secure, but at least you won’t be the low hanging fruit.
Don’t let users create passwords with dictionary words Here’s one for the system admins – don’t allow your users to create passwords that have dictionary words in them. This system change forces users to create complex passwords – couple that with a Password Manager and a hacker is likely to move onto easier targets.
Educate users on what makes a password safe A safe password doesn’t appear anywhere else in the public realm (such as in dictionaries), doesn’t appear anywhere in private (such as other accounts users have), and contains enough random characters that it would take an eternity to guess the password, even when using brute-force or rainbow table techniques, says Archer.
Still need help? Call a Managed IT Service Provider like us.