Bekker's Blog

Blog archive

More Evidence that Users Pick Terrible Passwords

Looking at two recent security studies together, one thing stands out. End users expect Web sites to keep their accounts secure, but they are overwhelmingly unwilling to help defend themselves by logging in with decent passwords.

The new data comes from an analysis by Keeper Security of 10 million passwords that were newly exposed through data breaches in 2016 and from a large-scale international survey conducted by Gemalto.

The Gemalto survey of 9,000 consumers shows that users are appropriately wary about their security. Nearly 60 percent believed social media networks posed a great risk, more than a third thought online or mobile banking left them vulnerable to cybercriminals, and nearly 60 percent believed they'd be the victim of a breach at some point.

Yet when it comes down to responsibility for protecting and securing customer data, respondents said 70 percent of the responsibility lies with the company and 30 percent lies with themselves.

The Keeper Security analysis of passwords revealed in 2016 completely confirms that the attitudes that emerged in that survey are backed up by real end-user behavior. The most popular passwords were jaw-droppingly horrible after years of media attention to passwords, data breaches and security problems. The top five were:

  • 123456
  • 123456789
  • qwerty
  • 12345678
  • 111111

"Looking at the list of 2016's most common passwords, we couldn't stop shaking our heads. Nearly 17 percent of users are safeguarding their accounts with '123456,'" wrote Darren Guccione, co-founder and CEO of Keeper Security, in a blog post about the results. The top 25 most common passwords accounted for more than 50 percent of the passwords in the breaches.

Like the users in the Gemalto survey, the companies behind both surveys fault the Web sites more than the end users for the problems.

"We can criticize all we want about the chronic failure of users to employ strong passwords. After all, it's in the user's best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn't hard to do, but the list make it clear that many still don't bother," Guccione wrote.

There's certainly something to blaming the Web site companies. First, they know better. Second, when attackers sweep up millions of passwords in a big breach, they get the great passwords along with the crappy ones. But just because a company isn't doing what is necessary to protect you, is no reason not to defend your own account at all. It's like arguing that because it's a country's responsibility to field an army to defend the borders against foreign invaders, individuals don't need to lock their doors against local burglars.

These new studies underscore that if part of your business involves securing customers' environments, relying on their end users in any way to secure their own accounts with voluntarily strong passwords is an enormous mistake.

Posted by Scott Bekker on January 18, 2017 at 1:32 PM


  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss. (Now updated with COVID-19-related event changes.)

  • Nvidia Buys Chip Maker Arm for $40 Billion

    Nvidia has entered into a "definitive agreement" to acquire U.K.-based chip design company Arm Ltd. from the SoftBank Group in a stock-and-cash deal valued at $40 billion.

  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • Oracle, Not Microsoft, Wins TikTok Buyout Bid

    Oracle's proposal to acquire TikTok's U.S. social media operations emerged victorious over the weekend, putting an end to Microsoft's competing buyout bid.