The most commonly chosen password in 2022 was ‘password’, which was identified 4.9 million times, followed by ‘123456′, with ‘123456789′ in third place. Photo / Thinkstock
Millions of people globally leave themselves open to fraud and identity theft for a very simple reason – they choose weak passwords when surfing the web.
Last year, a team of security researchers trawling
the dark web assembled a three-terabyte file of passwords that had been stolen in hacking attacks and data breaches.
The resulting list of the 200 most common passwords they found came as no surprise to behaviour experts, or anyone who has racked their brain to come up with a memorable password to log into an app or website.
The most commonly chosen password in 2022 was ‘password’, which was identified 4.9 million times, followed by ‘123456′, with ‘123456789′ in third place. Gender and nationality made no difference. Since the first websites appeared asking for log-in details, many of us have lazily selected from the same narrow range of weak passwords. Cybercriminals celebrate our lackadaisical approach to security.
The password list, published by NordPass, a developer of password manager software that allows you to automatically enter a complex password into websites and apps for greater security, also estimated how long it would take hackers to guess the passwords to gain unauthorised access to an account.
For the vast majority of passwords, the exploitation time was less than one second. Hackers will typically steal or guess a list of account usernames for an online service and then employ a ‘password spraying’ tool to automatically enter common passwords to try to gain access. If they have their heart set on exploiting a single, high-value account, they’ll attempt a brute force attack, repeatedly trying different passwords in the hope of correctly entering a weak passphrase.
They are still the root cause of data breaches. With most large websites now deploying tools to prevent automated password-cracking attempts, hackers have turned to social engineering techniques, so-called ‘phishing’ attacks, to try to get us to volunteer our passwords.
As old as the Old Testament
Advertise with NZME.
Anthropologists don’t know exactly when passwords were first used, but they have cropped up in the historical record over thousands of years. The “shibboleth incident” documented in the Book of Judges, which is included as one of the 24 books of the Old Testament of the Hebrew Bible, tells the story of a legendary battle between the tribes of Gilead and Ephraim north of Jerusalem.
In the confusion of the dusty battle, the Gileadite soldiers issued a challenge to identify their enemies, asking them to say the word “shibboleth”, which they knew the Ephraimites pronounced differently.
One unfortunate Ephraimite didn’t know the password.
“Then said they unto him, ‘Say now Shibboleth’; and he said ‘Sibboleth’; for he could not frame to pronounce it right; then they laid hold on him, and slew him at the fords of the Jordan,” the Book of Judges recounts.
The Rosetta Stone, a fragment of a stone slab dating to 196BC and featuring a decree issued in Memphis, Egypt, was a type of password. Written in three different languages – the widely used Greek, as hieroglyphic picture symbols and Demotic, the language of ancient Egypt – the stone was the key to language experts deciphering the hieroglyphs of the pharaohs.
The password was immortalised in literature through the tale of Ali Baba and the Forty Thieves, derived from an Arabic folk tale from One Thousand and One Nights. The story features a sealed cave that can only be opened with the utterance of the password “Open Sesame!”
In the computing world, passwords were first used by Massachusetts Institute of Technology researcher Fernando Corbató in 1960, but remained obscure outside of academic circles for decades. It wasn’t until the mid-nineties and the creation of the Netscape web browser that passwords became widely used in the digital world. Netscape founder Jim Clark came up with the idea of entering a username and password to access websites containing sensitive information.
Since then, passwords have been the default gateway to most online services, which has also seen them become a magnet for hackers and scammers.
Advertise with NZME.
CERT NZ, the government agency tasked with cybersecurity, said that reported financial losses from cyber incidents reached a record total of $8.9 million in the three months to September 30. Scams and fraud accounted for the vast majority of that – fake e-commerce websites that take your money but never deliver the goods, or romance scams, which dupe lovestruck victims into transferring money offshore to smooth-talking fraudsters they have never met.
But unauthorised access reports increased by 28 per cent from 2021 and accounted for $734,000 in losses. Many damaging and expensive cybersecurity incidents, for individuals and businesses alike, start with a password being exploited.
“This is a top three issue for me,” says Mark Gorrie, Asia Pacific managing director for Gen Digital, which makes the Norton, Avast and AVG range of cybersecurity and antivirus software products.
“Strong passwords are vital to online security, and even though password managers are available, many still don’t use them.”
An estimated 100 million people are still employing ‘123456′ as the password on at least one of their accounts, according to Gen Digital. Because 86 per cent of people use passwords they have memorised, it’s no surprise that passwords lack complexity and variety. With many web users also using the same password for multiple accounts, hackers armed with a user’s ID or social media handle can have a crack at accessing commonly used online services.
The likes of Gmail, Apple’s iCloud and Microsoft Office 365 try to combat weak password security by forcing you to choose a complex and hard-to-remember password – and prompt you to change it regularly.
“But even when meeting these requirements people’s passwords can still pose a risk, as they may be used across multiple sites or include things like personally identifying details,” says Gorrie.
“Website protections can’t identify these kinds of weaknesses. Password managers and random password generators help. It’s a human issue.”
My own password manager lists 273 passwords for websites and apps stored on my behalf, only a dozen of which I use on a daily basis. If you counted up your own list, you’d probably be surprised at just how many accounts you have log-in details for.
A password manager is an encrypted digital vault that stores your log-in information. It typically comes with a password generator, which lets you select strong, randomly generated and unique passwords for each account. Credit card information and shipping address details can also be stored securely.
A password manager lets you autofill forms and password fields on websites and apps so you don’t have to remember the complex passwords. You just need to remember the one master password that unlocks your digital vault. If hackers obtain that, they have struck the motherlode. But using a password manager is vastly less risky than coming up with memorable passwords for multiple accounts.
The likes of LastPass, Dashlane and NordPass offer free entry-level password managers, with additional features, such as the ability to generate an unlimited number of passwords and use them on multiple devices, typically costing around $5 per month. Norton Password Manager is included as part of Gen Digital’s cybersecurity packages, such as Norton 360.
The most commonly used password manager is probably Google Password Manager, a rudimentary manager built into Google Chrome, the world’s most popular web browser. It will generate complex passwords and autofill them for you. Logging in with your Google credentials also lets you see all of your stored passwords. Google generally has a good reputation for security, so using Google Password Manager is a safer alternative to remembering passwords. But it has major limitations. It can only be used via the Chrome browser and isn’t compatible with the apps on your phone. A dedicated password manager is worth considering if you have a proliferation of accounts you want to keep track of.
The rise of biometrics
Banks and e-commerce operators, as well as the big digital platforms like Amazon, Apple, Facebook, Microsoft and Google, have attempted to save us from ourselves when it comes to weak passwords with the introduction of two-factor authentication. If they detect that you are logging in on a new device, they’ll ask you to confirm your identity via a second channel, such as entering a code sent to you via text message or responding to an email sent to your primary email address.
“Two-factor authentication [2FA] is a very good technology,” Gorrie says.
“It adds an extra layer of security that cyber thieves can’t easily access, because the criminal needs more than just your username and password. It’s a great way to increase your personal cybersecurity and Kiwis should enable 2FA if they haven’t yet.”
Then there’s the shift away from passwords to biometrics, which has been made ubiquitous by the fingerprint or face scans millions of people use every day to unlock their smartphones. Iris scanning, a more secure form of biometric, is also emerging, as well as other physiological and behavioural identifying techniques. But hackers are already exploiting the weaknesses of biometric locks, says Gorrie.
“Data stored in a biometric database may be more vulnerable than any other kind,” he says.
“You can change a password, but you can’t change your iris. Some kinds of biometric data can also be duplicated. Best practice is combining strong passwords with 2FA and biometrics. Kiwis should layer their protection.”
The password killer
The three big tech providers – Apple, Google and Microsoft – have a plan to do away with passwords entirely. They have jointly developed the Fast Identity Online (FIDO) system which works on the Android and iOS smartphone operating systems, as well as Windows, macOS and the Chrome, Safari and Edge web browsers.
FIDO relies on your smartphone to authenticate your identity instead of asking for a password. You simply unlock your smartphone to log into any website or app. With over 6.6 billion smartphone users, putting the phone at the centre of secure log-ins makes sense. FIDO effectively uses a passkey which is synced with all of your devices and that is exchanged behind the scenes over an encrypted connection.
“These multi-device FIDO credentials offer users a platform-native way to safely and quickly sign in to any of their devices without a password,” says Vasu Jakkal, Microsoft’s vice president of security, compliance, identity and privacy.
“Virtually unable to be phished and available across all your devices, a passkey lets you sign in simply by authenticating with your face, fingerprint, or device PIN.”
FIDO-powered passwordless log-ins are set to roll out in 2023, but require thousands of tech companies to fall in line behind the standard, which may see uneven use of it across the web, at least in the next few years.
This means that the temptation to choose a no-brainer password like ‘qwerty’ or ‘guest’ will continue to be too much for a lot of web users. If you do opt to choose your own passwords, Gorrie has some advice for you: “The best passwords use random words mixed with numbers and symbols, upper and lower cases and are at least 8-12 characters long.”
The longer the phrase the better, and don’t use real words found in the dictionary or personal information – hackers are primed to try those combinations first. Use a different password for each account and change them regularly. If you have access to two-factor authentication, make sure it is turned on.
“As far as remembering them goes, use a password manager or vault to store your passwords,” Gorrie suggests. “Then you only have to remember one (until you change it, that is).”
Five tips to avoid weak passwords
1. Use a different password for every online account you create.
2. Try using a password manager, which will store and manage your passwords for you. The password manager will be the only account you need to remember login details for.
3. Think about using a short phrase or add a few random words together to create a passphrase, rather than a password. Passphrases are usually stronger and easier to remember than passwords.
4. You can add a mix of letters, numbers and symbols to make your passphrase more complex, for example ‘Wint3r here 1s warmer than Summ3r’.
5. Review the passwords for some of the accounts you’ve had for a while – they probably have weaker or reused passwords.
– Source: CERT NZ