The endurance of weak passwords
The significance of passwords is hard to overstate. They protect online banking accounts from internet thieves, intellectual property from unscrupulous competitors, social media accounts from internet trolls and several other critical systems.
But despite their worth, users have been recycling easy-to-guess passwords since the dawn of the internet (1990s). Back then, according to the NYTimes, the most popular password was “12345”.
Decades later, despite the constant barrage of crippling data breaches, very little has changed. Users have stuck with simple passwords in spite of the obvious risks, as well as relentless security awareness campaigns discouraging such behaviour. For instance, a 2016 survey conducted by Dashlane, a company that specialises in password management solutions, revealed some chilling insights:
- 31% of respondents admitted they used their pet’s name, 23% used number sequences, 22% used a family member’s name, while 21% used their birth date.
- Women, the same survey revealed, were more likely than men to use pet or family member names, while men were more likely to choose sports team names or the name of an account they are signing into like using “Facebook” as their password for Facebook or BOA for their Bank of America.
A separate survey published by SplashData, a cyber security solutions provider, in December 2017, stated that “123456” and “password” had retained their top two spots as the most used passwords online for the fourth consecutive year. Other glaringly easy-to-guess passwords - such as starwars, freedom, monkey or hello – made it to the top 25 commonly used passwords for the first time. The implications are clear: cybercriminals can easily breach into millions of online accounts by simply trying these most popular passwords. According to the 2017 Verizon Data Breach Investigations Report (DBIR) “breaches involving stolen or weak passwords has gone from 50 per cent to 66 per cent to 81 per cent during the past three years”
So, why have the barrage of data breaches not materially changed behaviours?
First, the sheer volume of passwords an average consumer must manage in today’s digital age - spanning across email, social media sites, online retailers, e-banking, government websites etc. – is simply overwhelming. The average user has more than 90 online accounts, according to Dashlane. Of course, accommodating 90 distinct and complex passwords into already overcrowded brains is daunting. In 2020, the average number of accounts per Internet user will rise to 207, predicts the same blog.
Second, this is issue has its roots in human psychology. For instance, A study by Lab42, a market research company, discovered that more than half of respondents convinced themselves that “their accounts are of little value to hackers, they can maintain their casual, laid-back attitude towards password security.” Most consumers certainly know what constitutes a strong password. 91 percent of respondents conceded that reusing passwords is risky, yet 61 percent continue to use the same or similar passwords anyway, with 55 percent doing so while fully understanding the risk.
These revelations are obviously disturbing. But what’s even more disappointing is that for decades, Cybersecurity teams keep recycling the same old tactics, despite their ineffectiveness.
Given these biases, it seems the usual awareness campaigns, reminding users to choose complex passwords, are hopeless.
There are practical ways cyber security teams can take to reduce the risk compromise from weak or reused passwords. Here are three of them:
1. First, shift the burden from the consumers by developing systems that are secure by design. For instance, by designing an authentication system that automatically rejects commonly used passwords, such as 12345. 123456, password, qwerty, etc. the enterprise can take away the burden from the user and reduce risk exposure at the same time.
2. Enterprises with dozens of applications should deploy commercial password management tools, such as Dashlane, KeePass, 1Password or LastPass, to generate and maintain hard to guess passwords. A password managers, according to Wirecutter, “makes you less vulnerable online by generating strong random passwords, syncing them securely across your browsers and devices, and filling them in automatically.” Password managers can certainly be hacked, but they are much safer when compared to sticky notes. This Cnet article provides good detail on 12 of some of the leading password management tools.
3. For high risk transactions, such as online investment accounts, force users to enrol into multi-factor authentication (MFA), which significantly reduces the risk of unauthorised access using stolen user credentials. MFA requires an additional verification after login with your username and password, such as a one-time passcode accessible via a mobile app or SMS.
As I wrote in my Book, The Five Anchors of Cyber Resilience, “The old trade-off of security versus customer convenience no longer makes sense. The long-held perception that security and usability are contradictory is just wrong – the two must be reconciled.”