Millions of people still have pathetically weak, easily hacked passwords
That people are lazy is not news. Ditto the fact that people like to make things as easy for themselves as possible. These two facts do not work well when it comes to security and passwords, as a new study reveals.
Analysis carried out by the UK's National Cyber Security Centre (NCSC) found that huge numbers of people are still -- despite continued advice -- using weak, easy-to-guess passwords to secure their accounts. The most commonly used password on breached accounts was found to be 123456, and there were plenty of others that were similarly insecure. The NCSC, in conjunction with Have I Been Pwned's Troy Hunt, has also published a list of the 100,000 most common passwords globally.
- Facebook: er, actually it was millions of Instagram passwords we stored in plain text, not thousands
- Facebook stored millions of users' passwords in searchable plain text for years
- KeySteal: huge macOS vulnerability can be exploited to reveal keychain passwords
The NCSC conducted its first "UK cyber survey", and it found that an astonishing 23.2 million accounts worldwide that had been hacked used the password 123456. Using data from Have I Been Pwned, it was possible to compile a list of the most commonly used passwords, and the top ten is home to plenty of familiar faces: 123456, 123456789, qwerty, password, 111111, 12345678, abc123, 1234567, password1, 12345.
The reason for publishing the password list is not (merely) to highlight that people can be stupid when it comes to security, but also to serve as a warning. The NCSC suggests taking a browse through the 100,000 entries and says: "If you see a password that you use in this list you should change it immediately".
In a blog post about the password list, the NCSC answers some questions:
Does releasing breached passwords help criminals?
These passwords are already in the public domain. By building awareness of how attackers use passwords obtained from breaches, we can make it harder for those attackers, and help you to reduce the risk to your customers or employees.
Why not use an existing list of breached passwords?
Through our collaboration with Troy, we can provide the most up-to-date list that's backed by a data source that the NCSC has confidence in. We can also refer to it across our NCSC guidance.
However, there will be other passwords that are more specific (such as employees in an organisation using the company name in their password) or time limited ('Spring2019', etc.) that will rarely be in a global breach list, but attackers may still try to use. This list isn't going to be the be all and end all of blacklists, but it should provide you a good starting point.
Developers and sysadmins are advised to make use of the list to encourage users to create stronger passwords, with the suggestion being that passwords from the list should be blocked.
So, what's the best way to create a strong password that remains easy to remember? The NCSC suggests simply using three random words -- hard to guess, but difficult to forget.