In 2014 and 2015, breach after breach led to a torrent of numbers and statistics. Two million passwords leaked here, another million there… It all adds up! But as it happens, theft of your passwords may not be the most significant threat. Silly passwords and password management are a much worse threat, because hackers don’t have to break in and steal those — they can just simply guess them using an algorithm, or wait for the user to do something crazy and nab it while it’s hot. Here are the top problems with weak passwords.
A user writes down a password. They share it with a friend, who throws it away. But where does it go? Identity thieves and other criminals are notorious for dumpster diving and trash thieving.
According to SplashData, the top ten worst passwords have remained the same for over two years running. This means that not only are folks choosing really bad passwords — they’re keeping the same really bad passwords for years, compounding the problem. And the winners (losers?) are…
1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball
In addition to selecting terrible passwords to begin with, users tend to pick one they can remember and stick with it for, oh, a decade or three. This means that if a password is compromised, it threatens that user forever. Additionally, people often use the same password for everything — logging into your network, using your applications, checking in on Facebook, posting to Instagram, and even accessing their online banking platforms. So, if their Facebook account gets hacked (which it probably will), the hackers will also gain access to your network, systems, and applications.
Even if a user develops a relatively strong password for each system they access, it’s all too common for the user to share the password with someone else, “Just this one time.” The admin who gives a user their password to get something important done for the manager, the user who helps out a coworker who doesn’t have access to a particular system — the situations are too numerous to mention. But once that password has been shared or written down, it can easily get into the wrong hands or be abused by the person it was shared with. This problem is compounded if the password is used to access other accounts and if it isn’t changed within a reasonable period of time afterward.
A common mistake when users do get serious about strong, varied, and regularly changing passwords is the dreaded “password document”. This document is prominently named “passwords”, so that if anyone hacks this file (especially if it’s stored on a public cloud server), they have all the keys to every kingdom. The word shouldn’t even be used within the document, such as a column or field name. Call it something utterly nonsensical or otherwise meaningless, like “favorite movies” or “to do list” or “zipperwags” — anything that doesn’t indicate the document is filled with juicy passwords.
While the silly ways that people develop and use weak passwords may be humorous, if you’re in charge of network security, they are anything but funny. Password management software helps you set stricter requirements for strong password development and forcing password changes regularly. But software alone won’t address all of these issues. Enforce policies on password sharing, storage, and responsibilities. Make sure the penalties for irresponsible password use and storage are stiff enough to deter the behavior.
Looking for help with your network security? Turn to the pros at Turn-key Technologies. Request a quote now.