We’re six digits away from learning all your secrets
(Last updated on February 7, 2020)
A total of 167 million login credentials from the 2012 LinkedIn hack have recently been leaked. The majority of the passwords used were so weak that it took only 72 hours for the source’s analysts to decrypt 90% of the passwords. The top most frequently used LinkedIn passwords are the usual suspects: 123456, LinkedIn and password. Granted this list is four years old, but have people learned since then?
No. According to Splashdata’s 2015 worst passwords list, 123456 and password still claim top spots as the most commonly used passwords. Every few months we hear about weak passwords resulting in data breaches or hacks. After so many security scares ranging from the iCloud photo leak, also known as the ‘fappening’, to the Ashley Madison and Sony hacks, all of which were a result of weak passwords, why do people continue to make poor password choices?
The answer to this question is simple – it’s because they can. Various leaked password lists like the LinkedIn example highlight the fact that major sites don’t enforce password complexity in fear of discouraging people from signing up. IT departments within organizations across the globe aren’t much better at enforcing strong passwords – just look at the passwords Sony employees used. So at the end of the day it’s up to IT to educate end-users on password security and to set and enforce more secure password policies and practices. Here are a few tips:
- Show them what weak looks like. Password complexity is closely tied to the four character types: capital letters, lower case letters, numbers, and symbols. Since a random string of characters may not be so easy to remember, users resort to tactics such as leetspeak and keyboard patterns which compromise security.
- Just don’t let them. The majority of people value convenience over security and will not put much thought into creating a good password. When you set the lowest level of complexity, don’t expect them to create anything more complicated than Password1234. Enforce password policy that requires a minimum of 15 characters, require a mix of uppercase, lowercase, special characters and numbers, and block vulnerable passwords from known leaked lists. Don’t worry about creating usability issues because it doesn’t require mental muscle to create D@ You Understand1?
- Remind them of the consequences. When people don’t realize bad passwords have real-life consequences, they react to those security incidents with a shrug. Based on your audience, use cautionary tales that they can relate to. For business owners, show them statistics from Verizon’s Data Breach Investigations Report – 80 percent of data breaches involve compromised passwords and 60 percent of small businesses breached go out of business within six months. For end-users, remind them they can risk exposing their confidential information and damage their reputation. While consequences of having their accounts hacked may not be as severe as Laremy Tunsil’s falling ten spots in the NFL draft or Jennifer Lawrence’s nude pics being leaked, there’s a lot of information they’d rather keep to themselves such as their social security number, financial information and private email communications.