Weak passwords leave UK businesses at risk of cyberattack
Millions of people and hundreds of thousands of businesses in the UK are using cracked or weak passwords for their online accounts according to new research.
Cybersecurity and data analytics CybSafe has conducted a blind-analysis of the passwords used by over 21,000 staff at a sample group of 250 UK businesses, and finds that three quarters are employing staff with vulnerable password combinations -- either passwords which are too simple, or which have been compromised in previous data breaches.
Comparing passwords from these accounts with data from haveibeenpwned.com -- the data breach tracking website run by security researcher, Troy Hunt -- the CybSafe investigation finds that 47 percent of UK businesses are employing staff with exposed passwords.
Oz Alashe, CEO of CybSafe says:
The issue of exposed passwords is often not well understood by the general public. There's a fairly common assumption that so long as you're not using a short combination, like '123', and/or an obvious combination, like the name of your child or a favorite football team, that you're therefore safe.
But complicated doesn't always equal safe. Many don't realize that their passwords have been compromised in old data breaches, and examples of exposed passwords aren’t always obvious. The password 'ji32k7au4a83', for example, may look like a safe and random combination of numbers and letters, but as analysis shows, this password has appeared in over 140 data breaches.
The research examined the prevalence of 'weak passwords', classified as any passwords with an entropy below 60 bits, and finds that 71 percent of companies are employing staff using weak passwords.
Following the study, participants were informed if their passwords were found to be weak or exposed. Only two thirds of these decided to change their passwords.
"Using strong, varied passphrases across different accounts is the most effective thing people can do to protect themselves and their company from experiencing a successful cyber attack," adds Alashe. "Leaders need to be thinking about the role that security training and awareness programs can play in encouraging their people to adopt these best practices."