Bekker's Blog

Blog archive

More Evidence that Users Pick Terrible Passwords

Looking at two recent security studies together, one thing stands out. End users expect Web sites to keep their accounts secure, but they are overwhelmingly unwilling to help defend themselves by logging in with decent passwords.

The new data comes from an analysis by Keeper Security of 10 million passwords that were newly exposed through data breaches in 2016 and from a large-scale international survey conducted by Gemalto.

The Gemalto survey of 9,000 consumers shows that users are appropriately wary about their security. Nearly 60 percent believed social media networks posed a great risk, more than a third thought online or mobile banking left them vulnerable to cybercriminals, and nearly 60 percent believed they'd be the victim of a breach at some point.

Yet when it comes down to responsibility for protecting and securing customer data, respondents said 70 percent of the responsibility lies with the company and 30 percent lies with themselves.

The Keeper Security analysis of passwords revealed in 2016 completely confirms that the attitudes that emerged in that survey are backed up by real end-user behavior. The most popular passwords were jaw-droppingly horrible after years of media attention to passwords, data breaches and security problems. The top five were:

  • 123456
  • 123456789
  • qwerty
  • 12345678
  • 111111

"Looking at the list of 2016's most common passwords, we couldn't stop shaking our heads. Nearly 17 percent of users are safeguarding their accounts with '123456,'" wrote Darren Guccione, co-founder and CEO of Keeper Security, in a blog post about the results. The top 25 most common passwords accounted for more than 50 percent of the passwords in the breaches.

Like the users in the Gemalto survey, the companies behind both surveys fault the Web sites more than the end users for the problems.

"We can criticize all we want about the chronic failure of users to employ strong passwords. After all, it's in the user's best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn't hard to do, but the list make it clear that many still don't bother," Guccione wrote.

There's certainly something to blaming the Web site companies. First, they know better. Second, when attackers sweep up millions of passwords in a big breach, they get the great passwords along with the crappy ones. But just because a company isn't doing what is necessary to protect you, is no reason not to defend your own account at all. It's like arguing that because it's a country's responsibility to field an army to defend the borders against foreign invaders, individuals don't need to lock their doors against local burglars.

These new studies underscore that if part of your business involves securing customers' environments, relying on their end users in any way to secure their own accounts with voluntarily strong passwords is an enormous mistake.

Posted by Scott Bekker on January 18, 2017


  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • SharePoint Embedded Becomes Generally Available

    After a six-month preview, SharePoint Embedded, an API-based version of SharePoint that developers and ISVs can use to embed Microsoft 365 capabilities into their apps, is now generally available.

  • Copilot in Microsoft 365 Getting Agents, Extensions and Team (Not Teams) Support

    Microsoft is adding more functionality to its Copilot AI assistant aimed at improving business collaboration, processes and workflows for Microsoft 365 users.

  • Microsoft Giving Startups Templates To Build AI Apps

    A new perk for businesses enrolled in the Microsoft for Startups Founders Hub program aims to fast-track their ability to build AI-powered applications.