World Password Day is upon us again and one would assume the drastic increase in breaches and hacks would prompt changes in how we all approach the password process. But recent studies, reports, and news stories reveal a stunning lack of progress in how millions of people view password creation in relation to their online safety.
Two different studies illustrate the worrying state of affairs for passwords. A survey from London-based cybersecurity company Clario showed that American millennials are some of the worst offenders of safe password practices, using the same password on as many as 50 different accounts.
Another report from Kevin Lancaster, founder of cybersecurity company ID Agent, scoured two billion passwords on the Dark Web and collected the most common passwords traded there.
SEE: Top 100+ tips for telecommuters and managers (free PDF) (TechRepublic)
Lancaster found that millions of people are still using their favorite song, sports team, or superhero as their password, all of which are easily discoverable by cybercriminals doing routine searches of a person’s social media profiles.
“Even with all this noise about all the breaches that happen every day that make the news and how damaging cyberattacks are, we’re still seeing people do really stupid things with passwords, day in and day out,” Lancaster said in an interview.
“At times it makes you want to hit your head against a wall. On one hand it drives you nuts that we’re still talking about this 10 years later but on the other hand it’s easy to understand that it’s really hard to solve. We’re still seeing people use things that are familiar to them because it’s easy to remember.”
Lancaster said the explosion of digital platforms that billions of people have to use for work, education and pleasure have forced people into an untenable situation where they feel they have no choice but to reuse passwords for dozens of accounts.
While people know they need sophisticated, unique passwords for every account, they also don’t have the time or mental bandwidth to create different ones for every account they own.
In his research of passwords leaked to the Dark Web, he found that many people are still using very basic passwords and variations of information related to things they love. Passwords like “rolltide,” “yankees,” “redsox,” “mickey,” “superman,” and “batman” are wildly popular despite their simplicity.
Some even put the name of their favorite sport, like “football” or “baseball” as their password while others use band and song names like “blink182,” “beatles,” and “8675309.”
Lancaster noted that in our hyper-sharing environment with dozens of social media sites, all of this information about a person’s interests can be found fairly easily, making it simple for cybercriminals to guess passwords and variations.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
In addition to sharing on social media sites, there are also websites dedicated to aggregating information on random people, making it even easier for hackers to find what they need to get into your accounts.
“To exploit someone, to start guessing passwords and putting them in automated scripting machines and trying to find holes, is very easy, especially if you have an address or known associates. If you know that they are diehard Yankees fans and what their kids’ names or pets’ names or who their relatives are, it’s relatively easy to do,” Lancaster said. “Hackers Google people.”
For his research, Lancaster sorted through billions of passwords he found on TOR or the Dark Web, which he said included everything from small credential dumps that might be specific to a small dental practice and their CRM system or major platforms like Zoom, LinkedIn, and Dropbox.
After normalizing and cleaning up the data to remove data that may have been dumped twice, he looked through to find patterns. He took out all of the default passwords and accounts using “password” or “123” as the password in an effort to focus on the most commonly used trends in password creation.
But even that may be giving the public too much credit. Just last month, there was widespread outrage after a group posted more than 25,000 email addresses and passwords reportedly belonging to the World Health Organization, the National Institutes of Health, the Gates Foundation and other groups working to battle the coronavirus pandemic.
Even though many of these people are vital to efforts to combat the virus’ spread, Australian cybersecurity expert Robert Potter told the Washington Post that after digging through the trove of data, he discovered 48 people had “password” as their password while dozens of people used their first name or “changeme” as passwords.
Putting that aside, Lancaster looked at what kinds of passwords people typically turn to and found that first names, sports associations, and animated characters are increasingly common. This trend is not just in the United States. All across the world and in almost every language, people fall into similar traps of using extraordinarily easy-to-guess passwords.
Lancaster said that while there was troubling data about password use, there was some indication that people were only using poor passwords for sites they did not consider to be important.
“You do see evidence that people understand that for some sites, there might be more risk. So for their bank, they may be a bit less inclined to use a person’s first name and a one and an exclamation point. But in sites that might be throwaways, they still use first names, last names, combos,” he said.
“It’s all about educating people about what the exploits are and why it should be cautious. A lot of this stuff can be eliminated through making sure that you enable two-factor authentication on the applications or create a layered approach using password managers.”
SEE: Password Management Policy (TechRepublic Premium)
Still, people underestimate how dangerous it is to use the same password on multiple sites. The Clario study of 2,000 Americans found that more than three-quarters of millennials use the same password for more than 10 devices, apps, and accounts and some have even admitted to using the same password more than 50 times.
Alun Baker, CEO at Clario, said apps and smartphones in general contain a huge amount of personal data that could potentially be accessed if just one company slips up.
“Check the companies that were breached last year—Uber, Facebook, Booking, among others… These are apps that nearly every millennial uses. If a person’s password gets leaked, cybercriminals would have immediate access to as many as 20 or more of the victim’s accounts/apps,” Baker said.
“Passwords are not just passwords, they’re keys to our digital life. Using multifactor authentication, a secured password manager, VPN, and staying up to date on data breaches is a good way of protecting yourself from unwanted hacks.”