The start of the New Year is always an interesting time in the security community. Out come the statistics and stories about the worst passwords and the most common ones chosen by online users during the previous year.
A recent story in the UK national press suggests that half of all online users worldwide use just 25 passwords between them -- and of course, none of the passwords are very secure and hackers could easily crack them.
In what seems like Groundhog Day the most common password is once again 123456, followed by 123456789 (so we can assume some popular websites asked for nine-characters).
It is sobering to see the word ‘password’ has dropped down the list from number 2 to number 8, so perhaps the warnings from the industry and online service providers are finally getting through!
The figures, based on 10 million hacked usernames and passwords, were released by a company that sells secure password managers and digital vaults for businesses and individuals.
Password managers have become increasingly popular over the last couple of years, not just with individuals, but also with business users. They store different, complex passwords for each website a user accesses, all locked away with a single master password.
The password manager recognises when a user accesses a site it knows about, and offers the option to fill in the username and password with the information it holds. This means users don’t need to know the passwords for different sites, which in turn means passwords can be very long, complex and difficult to crack.
Unfortunately, and not surprisingly, we’ve seen increased attacks on the password managers themselves and exposures of weaknesses within their systems. A popular password manager was hacked back in 2015 when attackers stole email addresses, password reminders and hashed password-related data, although it must be said that the passwords themselves appear not to have been breached.
This is not the first or last time that password managers will face major security issues, but perhaps the biggest security concern is still users themselves -- and that means us! The fact remains that anyone using a password as the sole means of authentication to a website, whether at home or at work, is putting himself or herself (and maybe their company) at risk.
Even using complex passwords, users should always take advantage of multi-factor authentication (MFA) to protect the password with another layer of security, and if a particular site doesn’t offer MFA, users should lobby the site to include the feature or move to another provider.
Rather than relying on password managers to mitigate the inherent weaknesses in passwords as a means of authentication, businesses should also invest in comprehensive identity management solutions that provide single sign-on (SSO) to all of their corporate applications and accounts, as well as incorporating MFA. Employees can have secure access to everything they need from wherever they are and, more importantly, do not need to store or remember any of their passwords.
Until passwords are finally consigned to the past, I look forward to reading 2017’s list of the most commonly used passwords to remind me just how predictable we all are.
Stop relying on just passwords and learn about MFA with this best practice brief.