More Evidence that Users Pick Terrible Passwords

Looking at two recent security studies together, one thing stands out. End users expect Web sites to keep their accounts secure, but they are overwhelmingly unwilling to help defend themselves by logging in with decent passwords.

The new data comes from an analysis by Keeper Security of 10 million passwords that were newly exposed through data breaches in 2016 and from a large-scale international survey conducted by Gemalto.

The Gemalto survey of 9,000 consumers shows that users are appropriately wary about their security. Nearly 60 percent believed social media networks posed a great risk, more than a third thought online or mobile banking left them vulnerable to cybercriminals, and nearly 60 percent believed they'd be the victim of a breach at some point.

Yet when it comes down to responsibility for protecting and securing customer data, respondents said 70 percent of the responsibility lies with the company and 30 percent lies with themselves.

The Keeper Security analysis of passwords revealed in 2016 completely confirms that the attitudes that emerged in that survey are backed up by real end-user behavior. The most popular passwords were jaw-droppingly horrible after years of media attention to passwords, data breaches and security problems. The top five were:

• 123456
• 123456789
• qwerty
• 12345678
• 111111

"Looking at the list of 2016's most common passwords, we couldn't stop shaking our heads. Nearly 17 percent of users are safeguarding their accounts with '123456,'" wrote Darren Guccione, co-founder and CEO of Keeper Security, in a blog post about the results. The top 25 most common passwords accounted for more than 50 percent of the passwords in the breaches.

Like the users in the Gemalto survey, the companies behind both surveys fault the Web sites more than the end users for the problems.

"We can criticize all we want about the chronic failure of users to employ strong passwords. After all, it's in the user's best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn't hard to do, but the list make it clear that many still don't bother," Guccione wrote.

There's certainly something to blaming the Web site companies. First, they know better. Second, when attackers sweep up millions of passwords in a big breach, they get the great passwords along with the crappy ones. But just because a company isn't doing what is necessary to protect you, is no reason not to defend your own account at all. It's like arguing that because it's a country's responsibility to field an army to defend the borders against foreign invaders, individuals don't need to lock their doors against local burglars.

These new studies underscore that if part of your business involves securing customers' environments, relying on their end users in any way to secure their own accounts with voluntarily strong passwords is an enormous mistake.

Posted by Scott Bekker on January 18, 2017