If corporate America has learned anything from the huge number of login credentials that were exposed in 2016 it's that having a strong password is key.
With that said it's more than a bit depressing to come across a study like the one completed by Keeper Security listing the 25 most common passwords in use (see left). The results are truly so sad that it must drive more than a few CISOs to their local bar.
The set up.
Keeper Security looked at 10 million passwords it found on the Internet, through legal means, and discovered the top 25 most commonly used passwords are not only embarrassingly easy to guess, but comprise the majority of the 10 million passwords.
The results posted included both corporate and private passwords, but Darren Guccione, co-founder and CEO of Keeper Security, said poor private password skills often influence how a person chooses his or her corporate passwords. In about 50 percent of the cases people re-use their personal passwords with their business accounts, he said.
With that noted, Guccione pulled no punches saying corporations overall do a poor job policing their employee's password choice.
“In 2016 Keeper Security sponsored a survey conducted by the Ponemon Institute titled, “The 2016 State of SMB Cybersecurity.” 600 IT leaders were surveyed. The report found that 59% of SMBs have no visibility into employee password practices and hygiene. Furthermore, 65 percent of SMBs that have a password policy do not strictly enforce it,” he said.
In fact the most common password, 123456, -sigh- was used in 17 percent of the cases. Luckily the second most used password was much more secure, not. Yeah, oddly 123456789 doesn't cut it. Same goes for using QWERTY, number three, or the word google, number 21.
Even the “good” passwords found on the list present a problem for the infosec industry. Passwords such as 1q2w3e4r, number 22, or 18atcskd2w, number 18, were likely created by bots to be used to post spam on forums. You know, the people who say their cousin is making $95 per hour working from home, even though he comment board you are on is discussing how the N.Y. Jets are terrible.
While the top handful of passwords on the 2016 list differed little from the previous year, there were several changes down near the bottom. The botnet inspired passwords replaced simple words like football, starwars, princess and login.
Guccione and Keeper Security said it's not hard for corporations, or the private sector for that matter, to improve their password hygiene.
- Deploy a comprehensive password management solution. This has to be high on the to-do list, if not at the top. Why? Because all your employees use passwords. And research shows that, left to their own devices, most employees will do a poor job of proper, effective password management, thus leaving themselves and the business open to attack.
- Cybersecurity awareness training is extremely effective in today's threat environment. There is no excuse for omitting it in a small business because there are fewer employees to train. Training will educate employees on the most common vulnerabilities and attack points.
- Learn where the businesses data resides and how it's stored and set up alerts in case an unauthorized person gains access.
- Hackers take the path of least resistance. Often times the path of least resistance for hackers are employee-owned mobile devices. Don't allow any unencrypted data on mobile phones, whether company-owned or BYOD.