Why do we continue to be stupid about passwords?
In what won't be a surprise to anyone who follows society's collective cybersecurity failures, a review of data breaches finds that the most commonly used passwords continue to be horribly insecure, and thus easy for would-be attackers to guess (see Why Are We So Stupid About Passwords?).
"If I were a CISO, I would issue password management software to every single one of my employees, together with instructions about how to use it."
Working with a list of 2 million passwords leaked via various 2015 data breaches, Los Gatos, Calif.-based password management software vendor SplashData reports that the top 10 password choices were the following:
Those password selections are virtually unchanged since 2014, SplashData notes. And while its latest top 25 list of passwords features some new entrants - "princess," "solo," "Star Wars" and "welcome," for starters - no one in their right mind would call any of those selections long or strong. As a result, they're cannon fodder for any hacker who's figured out how to wield dictionary-style brute force attacks.
The study is a reminder of the sad state of people's password choices, as well as organizations' failure to ensure that users are only allowed to pick relatively complex passwords. Then again, this collective failure has been revealed time and again, highlighting our inability to grasp the discipline known as OPSEC, which is how to keep secure that information that you most need to keep secure (see Top 10 Data Breach Influencers).
For example, after last year's hack of pro-infidelity dating site Ashley Madison, the attacker dumped gigabytes of stolen data, after which information security researchers recovered poorly encrypted passwords for 12 million of the site's users. They found that the top two choices - used by people who had signed up to an infidelity website - were "123456" and "12345." For anyone attempting to mask their indiscretions, for example from a spouse that might not sweat taking 30 minutes to test their partner's email address using a list of top 500 most-used passwords, that was a stupid move (see We're So Stupid About Passwords: Ashley Madison Edition).
But people making poor choices isn't new news. In fact, a 2014 study from cybersecurity firm Imperva found that the 5,000 most common passwords are used by 20 percent of all Internet users, that 30 percent of users pick passwords with fewer than seven characters, and that 50 percent of people opt for names or trivial passwords, such as "123456." In fact, that was also the top choice of users of RockYou, as revealed in its 2009 breach, which exposed 32 users' people's largely poor password choices.
Please: Use a Password Manager
What can be done? The short and simple security advice from many, many security experts is to write down different passwords for every site you use, so long as you can physically secure that list. To add an additional measure of security, also memorize, but don't write down, a short PIN code to append to each of those passwords.
Even better, however, is to use password management software. Such software makes it easy to generate and store a complex, long password for every site you use. That way, even if the site gets breached and the password dumped, attackers cannot reuse your password to log into other sites with your identity. Password management software can also be synchronized between your desktop, laptop and mobile devices, as well as with the cloud, to ensure that whenever you're using a computer, you can easily access required passwords.
If I were a CISO, I would issue password management software to every single one of my employees, together with instructions about how to use it.
Has your firm issued password management software to you?ï¿½ Mathew J Schwartz (@euroinfosec) January 20, 2016
Personally, I follow advice from Sean Sullivan, a security adviser at Helsinki-based security firm F-Secure, who recommends always using password management software, but never "on any untrusted laptop or desktop computer, where a keylogger may be present," such as the family PC.
Ditto advice from cryptography expert Matthew Green at Johns Hopkins University, who's voiced concern about the security of online password management services, leading me to choose to never store my passwords in the cloud.
Online password managers scare the crap out of me. https://t.co/U3ifwlRzzhï¿½ Matthew Green (@matthew_d_green) June 15, 2015
The above security principles aren't foolproof. That's why Javvad Malik, a security advocate at security firm AlienVault, also recommends activating two-factor or two-step authentication whenever it's available, because the added factor - typically a one-time code sent via SMS to your mobile device or generated using the Google Authenticator app - will add an extra layer of security, especially if an attacker does grab or guess your password.
So many information security failures these days are of the "smash and grab" variety, meaning attackers employ easy breach techniques, then steal what they can. Using complex passwords can make it more difficult for attackers to crack them. Using a unique password for each site also means that if the site falls to a breach, the damage will be more contained. Isn't making that happen a no-brainer?