The most popular password of 2015 have been labelled “dangerous” by security experts because of their simplicity.
The list of logins, put together by password management firm SplashData from lists of stolen passwords that appeared online, showed that the combination “123456” remains the most popular password among web users, followed by “password”.
IT Security experts from AlienVault and MIRACL discuss the issue:
Javvad Malik, Security Advocate at AlienVault:
“These password lists illustrate how poor people typically are at choosing and remembering strong passwords. So, they will choose a simple to remember (and type) password and then reuse it on multiple sites.
For the vast majority of sites, the password is the only thing separating your private details from the rest of the world. A website or app can have implemented good security controls – but if the user password is weak, then that can undermine everything else.
The reason why these common passwords are so dangerous is that it gives an attacker an easy way to get into accounts. It’s similar to having a master key that you know will work on at least 10% of the houses on your street.
So rather than having to run a brute force against accounts – trying millions of password combinations to try and get in. I can take a small set of 25 or 50 passwords and try them against all the accounts. I’ll not only have a high success rate in getting in – but it’s more than likely that the same passwords would have been used across different websites.
This then becomes particularly dangerous as an attacker could take control of your facebook, twitter, email, banking – effectively your entire digital identity with relative ease.
Beyond stating the obvious of, “choose a strong password”. The following are some tips users can do to help secure users:
- Use a password manager (Lastpass, 1Password, Keypass etc.) to automatically generate and manage all your passwords.
- Enable two-factor or two-step authentication where possible. e.g. where you will need to enter your password and a code that is texted to your mobile phone.
- Some websites will offer additional controls or alerts every time you log on or change any details. Make sure these are enabled and follow up on any suspicious activity.”
Brian Spector, CEO of MIRACL:
“These are surely some of the easiest passwords to crack, even for the ordinary kid trying to get into their sibling’s Facebook account. A professional cyber criminal would simply laugh at them. Sadly, even though many people are now using a combination of letters and numbers, or substituting numbers for letters, passwords can’t protect your personal information or data.
“The IT industry needs to get over passwords all together. They don’t scale for users, they don’t protect the service itself and they are vulnerable to a myriad of attacks. However, there are cryptographic security advancements available in the authentication space today, that combine multi-factor-authentication with excellent ease of use that delight customers. These protocols remove all the threats we have become so accustomed to reading about every week. Database hacks, password reuse, browser attacks and social engineering can all be a thing of the past in the authentication space.”
[su_box title=”About AlienVault” style=”glass” box_color=”#6cc727″]AlienVault’s mission is to enable organizations with limited resources to accelerate and simplify their ability to detect and respond to the growing landscape of cyber threats. Our Unified Security Management (USM) platform provides all of the essential security controls required for complete security visibility, and is designed to enable any IT or security practitioner to benefit from results on day one. Powered by threat intelligence from AlienVault Labs and the AlienVault Open Threat Exchange—the world’s largest crowd-sourced threat data network — AlienVault USM delivers a unified, simple and affordable solution for threat detection, incident response and compliance management. AlienVault is a privately held company headquartered in Silicon Valley and backed by Trident Capital, Kleiner Perkins Caufield & Byers, Institutional Venture Partners, GGV Capital, Intel Capital, Jackson Square Ventures, Adara Venture Partners, Top Tier Capital and Correlation Ventures.
[su_box title=”About MIRACL” style=”noise” box_color=”#336588″] [/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.