Why four-letter obscenities as passwords don’t work

Splashdata’s annual list of the most common weak passwords once again proves that humans are pretty lazy, and – more depressingly – have imaginations that put our species to shame. Last year’s most common password was – you guessed it – ‘123456’, which outstripped the previous year’s killer: ‘password’.

Rank Password Change from 2012
1 123456 Up 1
2 password Down 1
3 12345678 Unchanged
4 qwerty Up 1
5 abc123 Down 1
6 123456789 New
7 111111 Up 2
8 1234567 Up 5
9 iloveyou Up 2
10 adobe123 New

So, why are some passwords worse than others and how will your employees’ choice of passwords affect your business?

We’ve compiled a short explanation about why some password choices could prove more risky than others.

Why your employees shouldn’t use words that can be found in a dictionary

Common words, names, dates, or numbers should never be used.  According to the University of Chicago, this is not limited to English dictionaries: if you can find it in the dictionary of any language (even fictional ones, such as Klingon), don’t use it.  One standard method used by cyber criminals is to crack passwords by brute force attack. In this way, the attacker tries possible passwords over and over again through an automated process using special software. The software is programmed to try passwords in all sorts of languages using dictionaries of common words and names.

Splashdata says that even passwords with common substitutions like “L1sten1ng” can be vulnerable to the increasingly sophisticated technology of cyber criminals. Many of the dictionaries include both common misspellings and words with letters replaced with similar looking numbers (e.g. replacing ‘l’ with ‘1’).

How criminals can steal your employees’ passwords

Online data breaches take place all the time, giving criminals the perfect opportunity to sell the user names and passwords of compromised accounts to other parties. LinkedIn, Dropbox, Adobe, PayPal – the list goes on – have all been breached.  If your employees have repeated their passwords on a number of sites, including organisational systems, then your data is at risk.

One of the most common ways that passwords are compromised is by criminals looking over other people’s shoulders when they type their password, or by finding the paper where the password was written down.  It goes without saying: warn your employees not to write down their passwords!

How cyber criminals can guess your passwords

You will be astounded by how many people use a password based on information that can easily be guessed. According to Native Space, psychologists say that most men use four-letter obscenities as passwords and most women use the names of their boyfriends, husbands or children. While lines taken from the national anthem might seem like a good passphrase, these lines are widely-recognised and popular, so in practice they make bad passwords that are easy to crack.

Long passwords are difficult to recall, so what should you do?

There are many tips for creating good passwords that are easy to find online. One clever way to create more secure passwords that are easy to recall is to use passphrases – short words with spaces or other characters separating them. It’s best to use random words rather than common phrases. For example, “lion@crazybirthday!” or “steady_fish#onwards.”

One last word of advice

“Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.”  Clifford Stoll.

IT Governance provides essential solutions for tightening your organisation’s defences against the increasing risk of cyber crime. One of these is a range of flexible solutions to implement the international standard for information security, ISO 27001.

Find out how vulnerable your assets are to a random cyber attack with a penetration test and vulnerability assessment combination service.  If you order IT Governance’s Combined Infrastructure and Web Application Penetration Test – Level 1 in November, we’ll carry out an email phishing campaign to test your staff’s awareness of phishing attacks absolutely free. Protect your systems from attack, see if your staff are susceptible to phishing attacks, and mitigate the vulnerabilities that cyber attacks will exploit. Click here for more information >>

Combined (1)