The Good, The Bad and The Lazy

The National Cyber Security Centre (NCSC) and HaveIBeenPwned have jointly released a list of the top 100,000 passwords out of a list of 551 million passwords found in breached data sets. That is, out of the 551 million+ passwords that have been found in breached data sets, these are the 100,000 most frequently encountered. These are the 100,000 worst passwords you could possibly use.

The List of Shame

551 million passwords. That's staggering number. What's even more staggering is that the most popular password is 123456. Really? In 2019, the most frequently used password is still 123456? What's wrong with people? Here's the top ten most frequently used passwords:

• 123456. Quite simply if this is your password, you're too dumb to be using a computer. 
• 123456789. You're no better for having made it to nine.
• qwerty. Too smart to use numbers, huh? Well done on picking the third most commonly used password.
• password. Is this ignorance or arrogance? Either way it's facepalm stupid.
• 111111. Favoured by users that are too lazy to type 123456. 
• 12345678. Going for nine but got bored.
• abc123. Jackson Five fans?
• 1234567. Going for eight and got bored. 
• password1. Mixing numbers and letters can be a winning combination. But not in this case.

There is no excuse for using passwords like this. At all. To use passwords such as these means the user is lazy. Lazy users cut security corners because it is easier than doing it properly. Do you want your staff to cut corners or do you want them to take the security of your network seriously? 

Lazy Users

Lazy users will use the same password in many different systems because they can't be bothered to remember more than one password. That means if their password is breached on some other site - and 551 million breached passwords gives proof positive that this happens - then their password to your IT resources has also been breached.

Enforcing a password policy is not a difficult step. Enforcing complexity rules is simple. You don't have to allow your staff to put you at risk like this. 

Secure Passwords

What makes passwords secure is using a passphrase of words separated by either numbers or punctuation. That increases the complexity to the point that password cracking programs cannot crack them in hundreds or thousands of years. A phrase like fifty.silent.moorhens is many orders of magnitude more secure than lazy passwords and passwords that substitute numbers for letters.

Letter substitution forces the password cracking software to increase the effective size of the alphabet that it uses, by including the digits from 0 to 9. That's all. It doesn't make it more difficult for the password to be cracked.

The software knows that sometimes a "4" is used for an "A", and "3" is used for an "E" and so one. It adds no extra security at all, while nimble.squid.broth would take forever to crack, is faster to type and easier to remember.

And your staff will also be able to remember their passwords because there is no point in making them change their password frequently. 

Don't Force Password Changes

This is what Microsoft say about regularly changing passwords: "Periodic password expiration is an ancient and obsolete mitigation of very low value". It's the choice of password that matters.

Forcing lazy users to change their passwords every three months means they choose another lazy password. Whenever their account is attacked, in this three months or in the next three months, they'll still be using a lazy, easy password and making the cyber criminal’s life easier. 

And the NCSC agree: don't change passwords regularly, it adds nothing to the security of the network.

No Personal Information

You shouldn't base passwords on anything that someone might guess, know or be able to winkle out of you, like your favourite football team, favourite band, your children's names or the type of car you drive.

Out of interest I poked around in the bad password database and found these football teams, groups, names and car brands were present with these frequencies.

• Chelsea (42 times), Liverpool (28), Arsenal (27), ManUtd (10), Everton (7).
• Abba (16), Beatles (7), AC/DC (7), Oasis (3) and TheWho (2).
• Thomas (66), Toni (60), Charlie (58), Jake (52) and Britney, surprisingly, only once.
• Ford (75), Honda (74), Audi (43), Toyota (12), and Nissan (12).

The Bottom Line

• Use pass phrases. 
• Don't re-use passwords on different systems.
• If someone really does have a lot of systems that they need to remember passwords a for, using a password manager will transform their user experience. Talk to us and we'll show you how.

And if a Chelsea supporter arrives at your premises for an interview in a Ford, with Abba blaring out, and they have children called Thomas, Toni and Charlie, you probably don't want to employ them. Or employ them but keep them away from your network.