Happy World Password Day

Stuart Fuller

In recognition of World Password Day it is worth everyone just taking a moment to reflect on whether we are helping or hindering the work of cyber criminals who try to breach secure systems on an hourly basis. I remember working for an organisation where every new starter was given the same password and never encouraged or prompted to change it. Whilst the actual password was a relatively secure mix of letters and numbers, the fact that everyone knew each other’s log in credentials was dangerous to say the least.

Fortunately, time has moved on and most organisations now have data security policies in place that now force users to adopt a particular style of password and change it (and not just changing the number at the end) on a regular basis. Ironically, on such as auspicious day, the media are reporting a potential security breach with millions of alleged usernames and passwords to a number of well-known web-based email clients being revealed online by hackers.

Technology moves on at a frightening pace yet some aspects never change such as the number of people who continue to use insecure passwords to access their important and confidential data. The good news is that a number of organisations, including most major banks, now insist on much higher levels of complexity of passwords because they also have to protect themselves from weak compromised customer passwords. The 84 page Payment Services Regulation (2009) outlines the liability for both consumers and financial institutions in the case of unauthorised access. Whilst by law, a customer is due compensation if they notify their bank of an unauthorised payment "without undue delay", fraud losses will not be reimbursed if a customer is deemed to have acted "negligently" with their details or fails to report the loss quickly enough. To stop any ambiguity, creating (and securely storing) a complex password is simple good practice.

Whilst banks have implemented minimum password standards, many popular applications such as email, social media and online shopping where users have free reign in many instances to create their own logins, are regularly targeted by cyber criminals. Gaining access to an email account can lead to a whole host of issues, allowing criminals to reset passwords for other applications and even take control of digital assets such as Domain Names and websites.

In their annual report, Splash Data have published the list of the most popular passwords in 2015. They have created their list from published data relating to security breaches in the US and Europe, including the very high profile incident involving controversial adult dating site Ashley Madison, where it was revealed that the most common passwords were very simple and guessable.

For the 5th year in a row the password "123456" was the most common in their analysis of data breaches, closely followed by "password". Both of these were also two of the most common featured in the millions leaked after the Ashley Madison hack. Consecutive numbers feature highly in the rest of the top ten with "12345", "1234", "1234567", "12345678" and of course the most popular nine digit one, "123456789". Letter only ones include "qwerty" and a new entries into the top 10 this year "football" and "baseball".

The highest new entry onto the list is at number 11 with "welcome" whilst you can see some people have gone for topical options (or perhaps a retro one) with "Starwars" in the list at number 25, "solo" at 23 and "princess" at number 21. There has been some attempt to add a bit of complexity into passwords but even those are relatively easy to guess such as "1qaz2wsx" (look at positioning of keys on your keyboard) or the token jesters such as "passw0rd".

Organisations that require users to log into safe and secure systems should be thinking about moving to introduce more complex password requirements, which include a mixture of letters, numbers and special characters, whilst every Internet user should adhere to three simple rules governing the use of passwords:-

1. Do not use the same password for every application or website and where possible use a completely different set of characters; remember to change each and every password regularly.

2. Use a password management system such as Teamsid that can also generate random passwords for you. Never store your passwords in plain view such as a notebook or an unprotected excel sheet.

3. Never reveal a password to a third party in person – such as over the phone or in an unencrypted email. Most organisations that require you to confirm your identity will ask for random characters from the password. If you have any suspicions that your password has been compromised change it immediately and notify the organisation that it relates to;

Finally, if you are using one of the most common passwords, change it immediately. It takes seconds to do and will mean you become part of the data security solution and not the data breach problem.