What is your password behaviour and how does it matter?
A look at the dangers of using weak and common passwords on World Password Day
Dubai: Each year on the first Thursday in May, World Password Day promotes better password habits. Although we don’t need a red letter day to think about our passwords, the findings of an analysis could just make us sit up and change our magic access characters.
According to a one-month password analysis by Mimecast, an email and data security company, the top password in the world remains the straight ‘123456’, followed by ‘123456789’ and as bizarre as it may sound, ‘qwerty’. In the next three places are easy to recall numericals – ‘111111’, ‘1234567890’ and ‘12345’.
Threat intelligence analysts at the company said simple, easily guessed passwords are still the norm, almost as if users don’t trust their own memories to recall something more complex.
But at the cost of sounding repetitive, cyber experts cautioned that such passwords are weak and fraught with dangers.
Dr Kiri Addison, head of Data Science for Threat Intelligence and Overwatch at Mimecast, said, “A weak password is often the first line of attack that opportunistic and malicious intruders target when looking to steal or collect user data. With more people working remotely due to COVID-19 and accessing corporate and business accounts outside of the office, people need to be even more careful with their passwords – and that means avoiding the classic ‘123456’ password that is unfortunately still too common.”
Luckily though, she said there are simple solutions to avoid this. “For example, using a password manager naturally encourages people not to use the same passwords, Instead, the system records original, complex passwords that the user can then access using a master password, this helps takes away the pressure of remembering every single password. Combined with multi-factor authentication, which provides an additional layer of security and a further barrier from unwanted access, users can benefit from higher security.”
Changing password behaviour
Adam Palmer, chief cybersecurity strategist, Tenable, a cyber exposure company, said, “Every time a researcher with time on their hands searches through the latest data breach, it reveals millions are still using ‘123456’ as a password, so the chances of changing password behaviour is nothing short of a miracle.”
He said, “Given the reliance on passwords doesn’t appear to be reducing, and if anything our virtual identities are increasing, password managers that create and store complex passwords are essential. This year, as the spotlight is once again shone on passwords, instead of advocating complex recipes and codes, do yourself a favour and automate.”
Dangers of password reuse
According to Emile Abou Saleh, Regional Director, Middle East & Africa at Proofpoint, “The dangers of password reuse have been made abundantly clear through the rise in successful credential stuffing attacks, yet recent research has shown that 45 per cent of working adults admit to reusing the same password for multiple services. This issue will likely persist into the future due to human beings’ desire for convenience and the difficulty of remembering ever more complex passwords for the multitude of online services they use.”
Abou Saleh said the repercussions can be serious however, as one compromised password can open an individual up to identity theft or even put an entire organisation at risk.
“Likewise, cybercriminals are continuing to leverage sophisticated strains of information-stealing malware or keyloggers, often delivered through email phishing campaigns leveraging social engineering. Even in the best case scenario where a user has complex and unique passwords in place, a carefully targeted phishing attack dropping a stealer or keylogger can deliver these credentials directly to the attacker,” Abou Saleh said.
“Password reuse can be tackled through greater education and training, but it must be combined with technological solutions to reduce the onus on the individual, which is consistently the route most exploited by cybercriminals. Organisations should be implementing multi-factor authentication as standard, and it is also encouraging to see a rise in the use of password management applications which mitigate the risk of relying on the human memory for password security,” Abou Saleh said.
“As we look ahead, there is the potential that security advice will be to move away from passwords altogether. We have already seen a rise in methods such as facial recognition and other biometric authentication forms in use in place of the traditional password. This shift may be essential, because although technical vulnerabilities may be harder to exploit in future, humans are already and will remain the most targeted link in cyber security, with the most tech-savvy individuals vulnerable to increasingly personalised and complex attacks. Relying on passwords may be a thing of the past,” Abou Saleh added.