The 123 of password setting

By Stuart Fuller


Technology moves on at a frightening pace yet some aspects never change such as the number of people who continue to use insecure passwords to access their important and confidential data.  The good news is that a number of organisations, including most major banks, now insist on much higher levels of complexity of passwords because they also have to protect themselves from weak compromised customer passwords.   The 84 page Payment Services Regulation (2009) outlines the liability for both consumers and financial institutions in the case of unauthorised access.  Whilst by law, a customer is due compensation if they notify their bank of an unauthorised payment "without undue delay", fraud losses will not be reimbursed if a customer is deemed to have acted "negligently" with their details or fails to report the loss quickly enough.  To stop any ambiguity, creating (and securely storing) a complex password is simple good practice.

Whilst banks have implemented minimum password standards, many popular applications such as email, social media and online shopping where users have free reign in many instances to create their own logins, are regularly targeted by cyber criminals.  Gaining access to an email account can lead to a whole host of issues, allowing criminals to reset passwords for other applications and even take control of digital assets such as Domain Names and websites.

In their annual report, Splash Data have published the list of the most popular passwords in 2015.  They have created their list from published data relating to security breaches in the US and Europe, including the very high profile incident involving controversial adult dating site Ashley Madison, where it was revealed that the most common passwords were very simple and guessable.

For the 5th year in a row the password "123456" was the most common in their analysis of data breaches, closely followed by "password".  Both of these were also two of the most common featured in the millions leaked after the Ashley Madison hack.  Consecutive numbers feature highly in the rest of the top ten with "12345", "1234", "1234567", "12345678" and of course the most popular nine digit one, "123456789". Letter only ones include "qwerty" and a new entries into the top 10 this year "football" and "baseball".

The highest new entry onto the list is at number 11 with "welcome" whilst you can see some people have gone for topical options (or perhaps a retro one) with "Starwars" in the list at number 25, "solo" at 23 and "princess" at number 21.  There has been some attempt to add a bit of complexity into passwords but even those are relatively easy to guess such as "1qaz2wsx" (look at positioning of keys on your keyboard) or the token jesters such as "passw0rd".

Organisations that require users to log into safe and secure systems should be thinking about moving to introduce more complex password requirements, which include a mixture of letters, numbers and special characters, whilst every Internet user should adhere to three simple rules governing the use of passwords:-

  1. Do not use the same password for every application or website and where possible use a completely different set of characters;

  2. Use a password management system such as Teamsid that can also generate random passwords for you;

  3. If you have any suspicions that your password has been compromised change it immediately and notify the organisation that it relates to;

Finally, if you are using one of the most common passwords, change it immediately.  It takes seconds to do and will mean you become part of the data security solution and not the data breach problem.