Each year, various groups release updated lists of the most common passwords found among the millions exposed to the public as a result of data breaches.
Sadly, many extremely weak passwords seem to remain constantly popular among people – “123456,” for example, has been one of the most commonly used (and, at times, the most common) and pilfered passwords for at least half a decade.
In fact, a recent report by the United Kingdom’s National Cyber Security Centre showed that all of the ten most commonly found passwords within databases of stolen passwords are extremely weak. Those passwords – 123456, 123456789, qwerty, password, 1111111, 12345678, abc123, 1234567, password1, and 12345 – may seem so obviously problematic so as to preclude their use by intelligent people, but, clearly, if large numbers of people were not using them en masse they would not appear many tens of millions of times (yes, you read that number correctly) in databases of known stolen passwords.
Naturally, hackers are aware of people’s proclivity to use such weak passwords; the aforementioned codes and other similar weak combinations are typically among the first guesses made by hacking tools when attempting to crack passwords in order to gain unauthorized entry into systems and networks.
The research performed by the United Kingdom’s National Cyber Security Centre, however, showed quite clearly that many far-less obvious passwords are quite common – and quite problematic.
Despite repetitive advice from experts not to use them as passwords, for example, common first names, such as ashley and michael (note: lower case intentionally used for all passwords specified in this article), can each be found more than 400,000 times in databases of stolen passwords, with names such as daniel, jessica, and charlie, following not far behind.
Likewise, famous fictional superheros such as superman, batman, and other fictional characters such as tigger, naruto, and pokemon, were each used hundreds of thousands of times as passwords on systems that suffered breaches leading to password disclosures.
And music fans apparently chose passwords based on their likes as well. The passwords blink182, 50cent, eminem, metallica, and slipknot, for example, together were used, and breached, almost a million times.
There are, of course, multiple problems with such passwords. In many cases, they may be guessable by anyone who knows a user – or who looks at the user’s public social media posts. If someone shared that he has a girlfriend named Ashley, for example, anyone trying to hack into the user’s accounts is likely going to try various permutations of Ashley (with capitals and lowers varied, etc.) as a password.
More importantly, however, is the fact that hackers know to try common values for common types of passwords – a hacker targeting a system in an English-speaking country, for example, is likely to feed a list of common male and female names as passwords during his attempt to breach the system.
Aggravating the situation is password reuse – criminals know that people commonly reuse passwords, and, as a result, hackers often feed username-password combinations stolen from one system to another system during attempts to breach the latter. In fact, launching such an attack requires surprisingly little effort by hackers – nearly the entire process can be accomplished through the use of automated “credential stuffing” tools armed with the same types of databases of compromised credentials that security researchers use to analyze password choices.
In fact, just this week, within hours of the launch of the Disney+ video streaming service, login credentials to the service surfaced on the dark web; as the service appears not to have been hacked, it is believed that the credentials were obtained by criminals simply because they were reused username-password combinations leaked as a result of other breaches.
It is imperative, therefore, that organizations both enforce smart password policies – you can achieve strong passwords without mandating the use of complicated random strings of characters that are likely to be reused or written down. And, as part of password security measures, it might also be a good idea to prohibit – and enforce the prohibition of – the reuse of any username-password combinations that have been previously exposed through breaches.
This article is sponsored by Specops, which offers a FREE password auditor that will warn you if people are re-using on your system any passwords that have been compromised in known breaches. To download the free tool, please visit: https://specopssoft.com/product/specops-password-auditor/