The Truth About Passwords
Technology is such an ingrained part of our lives that no one makes it throughout their day without logging on, signing in, updating, posting or doing something else that involves an Internet connection. This may be why so many people have come to take passwords for granted. After all, we have firewalls, VPNs, antivirus software and all kinds of programs meant to leave hackers without a prayer. Yet, every year, companies, major corporations and even governments get hacked. One reason is that passwords are as important as ever—maybe even more than ever—yet people are treating them like an afterthought.
No, that’s not a number. That’s on of the most popular passwords in the world. If any one point could be highlighted to make the argument that passwords aren’t being treated with enough respect, this would be it.
Every year, millions of users are looked at for an informal survey meant to help highlight where companies are falling short as far as security is concerned. Since 2011, people have consistently chosen “123456” enough that it keeps showing up as the worst possible choice.
Right there, you can tell something is wrong with how users are picking passwords. Blaming the concept for breaches would be like saying doors don’t work because people get robbed when they leave theirs wide open. “123456” is as good as having no password at all.
People Love Patterns
“123456” isn’t just an unfortunate outlier either. It’s characteristic of a very serious problem throughout every industry. Let’s take a look at other popular password options that show up on the yearly list. After “123456”, it goes:
Those don’t scream, “I take security seriously”, do they? If you’re wondering, “qwerty” is just the first five characters from the top left of the keyboard. Of interest is that “password” remains the second most popular password and has for the past four years as well.
The Top 1,000 Passwords
While we obviously can’t list them all out, there’s a much greater list of common passwords—1,000 in total—that help paint a disturbing portrait as well. These were taken from a leak that happened back in 2014. Analysts had six million passwords to look at and, from them, they established the most common choices.
Obviously, “123456” and password were at the top. In fact, they accounted for 8% of the total. Still, they were part of the 91% of passwords that came from the most common 1,000 options.
When you think of 1,000 different passwords, that might seem like a lot. It is, of course, but probably not as many as you think. Knowing that 5,460,000 out of five million users all picked from the same 1,000 passwords should worry you. Hackers won’t have any problem going through that many if they think they have a 91% chance of gaining entry to your network, especially if they’re convinced it will get them an attractive target.
The Top 10,000 Passwords
Unfortunately, it gets worse. When analysts expanded their list to the top 10,000 most common passwords, they found that another 8% of users could be added to that list. In total, then, 99% of users pick passwords from the same list of 10,000.
Keep in mind, these aren’t the same type of passwords. We’re not talking about people choosing their birthdays or their mothers’ maiden names. We’re talking about the same exact combination of letters and numbers. Is it any wonder that hackers seem to have such a field day every year?
Hacking Software Is Here
One thing a lot of people don’t understand about hacking is that it’s no longer an activity only carried out by the extremely tech-savvy. You don’t need a computer science degree or an extensive background in programming. Instead, anyone with a bit of ingenuity—and a lack of morals—can pull off hacking these days, provided their targets pick awful passwords.
This is thanks in large part to hacking software that now exists. To make the illustration as efficiently as possible, let’s look at HashCat. Are all platforms as brutal as this one?
No, but the fact that it’s out there should give you pause. HashCat can make 300,000 attempts at your password in just one second.
“Password” and “123456” obviously aren’t going to stand up to this kind of brute force attack. However, neither is some combination of characters for your hometown, year you were born, favorite band and favorite number. “Fargo84Beatles11” probably wouldn’t take HashCat more than a minute to nail.
How, then, are passwords still relevant? Well, first, because they’re still necessary. We’re not going back to putting things on paper and communicating primarily through fax and snail mail. That means passwords are going to stick around.
Second, you can use a better type of password. Multi-Factor authentication (MFA) is the next evolution of password protection. This security system requires at least two methods for a user to validate themselves before gaining access. However, MFA takes it a step further by demanding that each category be independent of the other. Therefore, it’s not like you simply put in two passwords. Instead, you might use a password and a disconnected token, something no one could hack because it has no connection to the computer.
Passwords aren’t going anywhere anytime soon. However, in order for them to continue being a successful method for keeping systems secure, companies need to take the next step. Obviously, you want to instruct your employees in picking the best possible passwords. Without MFA, though, it’s probably just a matter of time before a hacker breaches your security.