“Pasword1” – You have more security issues than you thought!
Although this article, “Password1 tops lists of top 10 corporate environment passwords”, did make me smile (Hello123 was the second most used), it represents a pretty wide organizational security gap should a hacker try to obtain access to your internal systems.
Although as a software vendor, we address security exposures within content, I had actually never spent much time thinking of passwords people use. Now come on, admit it, you probably have a favorite password that you use for just about everything. I have a 4 page list of web sites, user id’s and passwords that I use. I have two favorites, and although the userid varies, the password is the same for 98% of them.
The article that was responsible for my smiles was written based on Trustwave pen test of corporate environments in 2013 and part of 2014.
“Regarding keywords in passwords, people loved using the name of their kids and dogs. 12,042 contained a top 100 baby boy name; 9,224 passwords were from the top 100 dog names; and 8,035 passwords contained a top 100 baby girl name. After 31 days, the researchers had cracked 576,533, nearly 92%, of the total 626,718 passwords.”
The most commonly used passwords are below:
Tip: “Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password.”
An automated tool can crack a completely random eight-character password including all four character types such as “N^a&$1nG” much faster than a 28-character passphrase including only upper- and lower-case letters like “GoodLuckGuessingThisPassword”. If for the purposes of this estimate we assume the attacker knows the length of the passwords and the types of characters used, “N^a&$1nG” could be cracked in approximately 3.75 days using one AMD R290X GPU. In contrast, an attacker would need 17.74 years to crack “GoodLuckGuessingThisPassword” using the same GPU.
Is it time to start thinking about changing your password? I’m not sure I’m ready. It’s been with me for years. Maybe we should all just use “GoodLuckGuessingThisPassword”.