Bekker's Blog

Blog archive

More Evidence that Users Pick Terrible Passwords

Looking at two recent security studies together, one thing stands out. End users expect Web sites to keep their accounts secure, but they are overwhelmingly unwilling to help defend themselves by logging in with decent passwords.

The new data comes from an analysis by Keeper Security of 10 million passwords that were newly exposed through data breaches in 2016 and from a large-scale international survey conducted by Gemalto.

The Gemalto survey of 9,000 consumers shows that users are appropriately wary about their security. Nearly 60 percent believed social media networks posed a great risk, more than a third thought online or mobile banking left them vulnerable to cybercriminals, and nearly 60 percent believed they'd be the victim of a breach at some point.

Yet when it comes down to responsibility for protecting and securing customer data, respondents said 70 percent of the responsibility lies with the company and 30 percent lies with themselves.

The Keeper Security analysis of passwords revealed in 2016 completely confirms that the attitudes that emerged in that survey are backed up by real end-user behavior. The most popular passwords were jaw-droppingly horrible after years of media attention to passwords, data breaches and security problems. The top five were:

  • 123456
  • 123456789
  • qwerty
  • 12345678
  • 111111

"Looking at the list of 2016's most common passwords, we couldn't stop shaking our heads. Nearly 17 percent of users are safeguarding their accounts with '123456,'" wrote Darren Guccione, co-founder and CEO of Keeper Security, in a blog post about the results. The top 25 most common passwords accounted for more than 50 percent of the passwords in the breaches.

Like the users in the Gemalto survey, the companies behind both surveys fault the Web sites more than the end users for the problems.

"We can criticize all we want about the chronic failure of users to employ strong passwords. After all, it's in the user's best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn't hard to do, but the list make it clear that many still don't bother," Guccione wrote.

There's certainly something to blaming the Web site companies. First, they know better. Second, when attackers sweep up millions of passwords in a big breach, they get the great passwords along with the crappy ones. But just because a company isn't doing what is necessary to protect you, is no reason not to defend your own account at all. It's like arguing that because it's a country's responsibility to field an army to defend the borders against foreign invaders, individuals don't need to lock their doors against local burglars.

These new studies underscore that if part of your business involves securing customers' environments, relying on their end users in any way to secure their own accounts with voluntarily strong passwords is an enormous mistake.

Posted by Scott Bekker on January 18, 2017


Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.