New year, same old bad passw0rds

Jan 28, 2016

By Richard Allen, 7Safe Education Lead | 26 January 2016

It's early 2016, yet the fifth annual list of the 25 worst passwords (pulled from the millions of stolen passwords made public throughout 2015) released by SplashData – proves that a lot of people (and organisations) still haven’t learnt what makes a good password.

Despite the constant flow of news stories resulting in increased concerns over cybersecurity and its implications, this list suggests that the majority of people still haven’t improved their password strength. The two most popular passwords, “123456” and “password,” have maintained their positions at the top of the list. While many of the other passwords listed are just a combination of consecutive numbers or predictable options such as “qwerty,” “welcome,” “letmein,” and “login.”

7Safe’s penetration testing lead, Aleksander Gorkowienko said “Weak – and reused – passwords are regularly exploited by cyber criminals and can be easily cracked using off-the shelf password hash-cracking software. Unfortunately 7Safe’s penetration team still frequently find weak passwords including some of those listed when undertaking assignments for our clients.” He added, “Passwords are the keys to your sensitive data when using websites, email accounts and your computer itself (via User Accounts). It is therefore essential in order to protect yourself online to create complex passwords for your online accounts. Most hackers bank on the fact that people will not choose passwords they have difficulty remembering, but will choose passwords which relate to their lives: the name of their pet, child, girlfriend, where they went on holiday, or model of car etc. A password must be easy for the owner to remember, yet resist intuitive cracking.”

So, how do you ensure your staff don’t put your organisation at risk with their poor password habits?

Strong passwords can be created in many ways, but some typical examples are to use an acronym of a phrase personal to you, a sentence from a favourite novel, or the first character of each line of a song.

e.g.: “Tiger, tiger, burning bright in the forests of the night” is 1TTbbITfoTN$

Some useful tips when constructing a password are:

•                    Make it unrelated to you personally. No names of spouses, children, pets, birthdays or National Insurance numbers, number sequences, etc.

•                    Make it 8 characters or longer.

•                    Include at least one number.

•                    Use upper and lower case letters.

•                    Put some symbols in (! $ £ & * etc…).

•                    Avoid common dictionary words. Remember: the shorter the password and the more grammatically accurate it is the easier it is to crack!

•                    Make all of your passwords different. Try to avoid re-using (recycling) passwords.

•                    Do not disclose your passwords to anyone else.

It’s also important to remember that one of the most important passwords you have online is your email account password, as it can be used to reset your other passwords. You should therefore also avoid using the same password for multiple websites, as this increases your vulnerability to hackers; should one of your accounts be successfully hacked, that will be the first password used to try and gain access to your other accounts. You can prevent a widespread hacking of all your accounts by making sure each one has a unique passwords.

Richard Allen is Education Business Development Manager at 7Safe, PA Consulting Group’s technical security practice based at the Cambridge Cyber Development Centre, which annually trains over 500 of the UK’s leading ethical hackers and digital forensics professionals.

Improve the overall security awareness of your employees. Our Hacking Insight for Managers and modular cyber awareness training courses can help your staff to recognise the threats they face both at work and in their personal lives, reducing both the likelihood and impact of a future security breach. Call 7Safe on 01763 285 285 to claim a Free Training Consultation to discuss how we can assist your organisation improve the overall security awareness of your team.

"Strong passwords can be created in many ways, but some typical examples are to use an acronym of a phrase personal to you, a sentence from a favourite novel, or the first character of each line of a song."