Blog

Apr 20, 2016

Who Thinks These Weak Passwords Are Funny? The Joke is On Us.

IT Security, Network Security Blog

hacked_password-cover-image.jpg

Who Thinks These Weak Passwords are Funny? The Joke is on us.    

We all know that password security is important—especially in an office. But our user’s personal account passwords aren’t always top-of-mind when we think of office network and data security. It ought to be, because every user survey I’ve ever seen scares the crap out of me. It should scare you too.

Security experts have been warning us for more than 20 years that the most common passwords people use online provide ZERO to NO barriers to intrusion by hackers. We collectively smirk and grin, and probably wonder at who these silly people are who think they’re securing their online accounts with such ridiculously simple passwords. “Stoopid people”, right?

Well, the joke’s on us for everyone who manages an office with users who access an office network at work or from home. Let me explain, but first, you have to look closely here at SplashData’s

January 2016 Annual List of the 25 Most Common Hacked Passwords

Yes, it looks just like the same list of the most common passwords we saw three years ago, and three years before that. Why aren’t people “getting it”?

Rank   Password   Change from 2013
1   123456   No Change
2   password   No Change
3   12345   Up 17
4   12345678   Down 1
5   qwerty   Down 1
6   123456789   No Change
7   1234   Up 9
8   baseball  New
9   dragon  New
10   football  New
11   1234567  Down 4
12   monkey  Up 5
13   letmein  Up 1
14   abc123  Down 9
15   111111  Down 8
16   mustang  New
17   access  New
18   shadow  Unchanged
19   master  New
20   michael  New
21   superman  New
22   696969  New
23   123123  Down 12
24   batman  New
25   trustno1  Down 1

 

If one of these passwords are yours, you might be an idiot. 

Or maybe you’re just like millions of of other lazy users who have a hard time remembering strong passwords ‘cause it’s a hassle. And you really believe your password is unique and hard to crack, right?  

Well it might surprise you how easy passwords really are to crack.

 

 

 

 

 

 

 

 

 

 

 

 

Just how easily ARE passwords cracked?

We found a number of password calculators online designed to show people how weak their most passwords are. You simply type in a password script and they show you how secure it might be.

This first site “How Secure Is My Password” shows you how long it would normally take a hacker to crack your password. For example, almost any random string of 8 letters will take ABOUT 7 SECONDS OR LESS!

Try it out yourself with your favourite passwords https://howsecureismypassword.net/

(Better yet, share this post with friends and colleagues and suggest they try it out too).

If you are a more technical reader who wants more details, you might like GRC’s Interactive Brute Force Password “Search Space” Calculator here: https://www.grc.com/haystack.htm

Here is what I found at “How Secure Is My Password” with what might look like a pretty safe mix of letters and numbers:

   Forget using number sequences

 

        Six characters mixed were uses too

 

    Adding a special symbol didn’t help much

 

    Changing 1 letter to CAPS is better, but still bad

 

    Adding an 8th character helps a little more….     Then 9 mixed characters was a lot more effective

 

However, to a hacker, 3 hours or 6 hours is nothing when using software hacking tools launched launched from one or more zombie computers. It’s all automated for them.

For a secure password, you need a minimum of 9-characters with mixed CAPS, numbers and special symbols.

 

Okay, so most of you still reading are thinking “DUH! I knew this a long time ago”.

 

What I’d like to know is, of the more than 2 million people in North America who DID have a password hacked last year, how many work in your office?

 

This is a relevant question. Why?

If someone in your office is not using a strong password, they are at risk of getting hacked. But maybe you’re not worried because we’re talking about some other Jack’s personal online accounts, right?

Well here’s another scary fact: Hackers aren’t really interested in anyone’s Facebook account for fun. Their endgame is getting access to ALL their accounts: Bank accounts, email accounts, Paypal, credit cards and others.

Hackers know that most people tend to use the same single password, or variation, for all their online accounts. Once they discover a single account password, they load up other automated hacking software tools that will try their username and password combination on tens of thousands of different consumer and corporate websites.

Just as important, they’ll find out where they work because they want access to your company networks too. It’s an easy way to gain access so they can create zombie computers, install viruses and other malicious software, including ransomware (the fastest growing area of cybercrime today).

 

So here’s the point — If we want to strengthen our networks against some common hacker intrusion methods, we need to start teaching our users safe password habits for work and at home.

Because for many corporate hackers, access begins at home. 

 

How to protect your company networks from stupid and lazy passwords

 

Netcotech’s Top Four IT Tips for Password Security

1. Enforce a Strong Password Policy

The first line of defence against simple hacked intrusion for companies is to enforce a strict strong password policy on your own networks. Then force users to change those passwords on a regular basis. You need to make users create complex passwords with letters, numbers and symbols, and at least 9 characters long. If you’re not doing this today, make a note right now to discuss this at your earliest convenience.

 

2. Use Two-Factor Authentication (2FA) for greater secure access

Two factor authentication adds a second means of identification to give business systems another layer of security.

A unique password is the first factor, and the second factor is usually something else only the user has to confirm they’re identity. Common second factors are finger prints, or a PIN number.   Techtarget.com has an excellent 2FA description here on their website.

 

3. Educate network users on the importance of strong passwords for personal accounts too

It’s up to all of us to teach employees and other network users safe internet habits—for work AND their personal use, especially because they poor passwords put our own network security at risk. We’re obviously not doing a good job of that yet according to the evidence.

Safe password habits for everyone include:

DO NOT using weak, easy to guess or simple sequences for passwords on any online business or personal websites;

DO NOT writing their passwords down and leaving them in places where others can copy them;

DO NOT sharing any passwords with anyone, ever;

DO create passwords at least 9 characters long, and include caps, numbers and special symbols;

DO create a different password for every online site used;

DO change passwords regularly;

 

4. Recommend or provide a Password Manager for all your users — make it easy

A Password Manager is a software application that helps a user store and organize passwords. They can be cloud based, self-hosted server based, or a personal desktop or smartphone app.

You should also know there are personal password managers for individual and private use; and there are other password managers with features designed more for corporate, project teams and enterprise use.

Since there are such a large variety of them with different strengths and weakness, it pays to start with a little research first.

 

Password Managers for Business Use

Here is an excellent comparison of password managers for corporate and enterprise users (published in 2015 but still a good resource)

http://www.darkreading.com/endpoint/10-password-managers-for-business-use/d/d-id/1322326

From our own personal experience we could easily recommend these two excellent apps to try out for most companies:

www.teamsid.com

www.commonkey.com

Password Managers for Personal Use

For individuals, employees, private users and everyone else, Consumer Affairs has a great up-to-date review of the Top 10 Best Rated Password Managers. Most are inexpensive and some are free.

https://www.consumeraffairs.com/internet/password-managers/

Subscribe

Join our mailing list to get the latest news, offers and updates from Netcotech.

Related Posts

Load More

Is your IT holding you back?

Learn more about our IT consulting services. We’re here to help.