Posted on Aug 27, 2018
Take a look at the passwords listed above. Do any of them look familiar? The sad reality is that they might. While overly simple and relatively easy to guess, these were 50 of the most common passwords acquired in a data breach of over 30 million accounts. The 10 most popular options (including “123456” and “123456789”) break a cardinal rule of password setting by not including a combination of letters and numbers.
One of the most common ways hackers gain access to passwords and accounts is called a brute-force attack. This method uses an automated software that checks all of the words in the dictionary and commonly used passwords until it breaks through. Using passwords like “123456” or “qwerty” (if a website will let you) isn’t just discouraged, it could be dangerous.
Thankfully, not all websites will allow users to pick passwords like “123456”, even if they wanted to. Google requires its users to create passwords at least eight characters in length utilizing a combination of letter and numbers. While not required, Google also recommends users include symbols into their account passwords and avoid using personal info or common words.
But is that enough?
Potentially not. In a 2016, Microsoft announced they saw over 10 million username and password “pair attacks” every single day. As a result of their analysis, they suggested reusing passwords should be banned, that longer passwords aren’t always better, and multi-factor authentication may be necessary to fully secure account from compromise.
Even if users are including a mixture of letters, numbers, and symbols in their account passwords, they may still be falling prey to commonly used combinations. This graphic acts as a heat map to identify the characters on the keyboard people reach for the most in building their passwords. Numbers like 0,1, and 2 as well as symbols like the period, underscore, and at symbol (“@“) are still common and could be easily guessed.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.