Despite high profile breaches of user information and passwords from LinkedIn and Yahoo in recent years, many business users refuse to create passwords that offer adequate protection against cybercriminals, according to a new study from Preempt.
Last year, LinkedIn revealed that email addresses and passwords of more than 164 million users were stolen in a massive hack in 2012. The company had originally reported that only 6.46 million accounts had been compromised.
Preempt compared how many passwords compromised in the breach were already known from established password dictionaries. They found that more than 63 million LinkedIn users, representing about 35% of accounts, used previously known passwords. No matter how complex these passwords may have been, they were still weak, because they could be quickly cracked by matching against a wordlist of known or previously used passwords.
“Users reuse passwords. They rotate them. Add a digit to them. And even use identical or share passwords with others,” according to a Preempt blog post describing the results. “The problem is that only about 1% of people care and are aware that passwords are based on patterns and these patterns can be tracked or broken.”
Last year, LeakedSource published a list of the most popular passwords used by LinkedIn in 2012, demonstrating just how unsafe many accounts are, ZDNet reported. Here were the top five passwords, and their frequency of use:
1. 123456 (753,305 users)
2. linkedin (172,523 users)
3. password (144,458 users)
4. 123456789(94,314 users)
5. 12345678 (63,769 users)
And many users whose accounts were breached changed their LinkedIn passwords–but did not think to change work or other accounts that use the same password, the post stated. “Their LinkedIn account was breached, so they just change their LinkedIn password, not realizing that if they are using that same password elsewhere, they are actually exposed in all of those places as well,” according to the blog post. “For IT security teams, this is an unknown vulnerability they have to deal with.”
LinkedIn does offer two-factor authentication for added security; you can learn how to enable that feature here.
Preempt also investigated how much time it would take to crack a password using a standard, off-the-shelf cracking hardware. The company created three password models: Low complexity (only enforcing password length standards), medium complexity (password length and complexity standards enforced, using common ULSD patterns such as capitalizing the first letter and using a digit as the last character), and high complexity (the same as medium, except avoiding common ULSD patterns).
The verdict? Low complexity passwords could be cracked in less than a day, while medium complexity passwords were hacked in less than a week. High complexity passwords were cracked in less than a month.
This should serve as a reminder to enterprises to remind employees to practice password hygiene, including creating passwords that are more than 10 characters, that avoid common ULSD patterns, and that are changed frequently, the report recommends.
“Enterprises must assume that there is always going to be one employee that may compromise the organization online,” Ajit Sancheti, CEO and co-founder of Preempt, told TechRepublic. “Unfortunately, no amount of education can prevent this, so it is important to focus attention and resources on defense.”
Sancheti recommends that enterprises do the following:
1. Instruct employees to not reuse passwords, ever.
2. Remind employees to not click on links in emails, unless they are sure they know the sender. They should also not go to any banking or financial site through an emailed link.
3. Enforce penalties for unsafe or irresponsible actions while using a work device.
4. Offer continuous education on cyber hygiene.