Despite years of problems, passwords remain the major vulnerability for systems and that is set to get even worse with the smart home and the Internet of Things. Webcams and other smart devices are frequently compromised by weak passwords.
The latest top 25 passwords from Splash Data in 2015 (compared to 2014) will have you holding your head in amazement and despair for the future of the industry, as it seems only the length of the password that is changing:
"Given all the recent and historical news on data breaches of personal e-mail accounts, social media accounts and even phone account passwords, it is every wonder therefore that we are still using password combinations that are incredibly easy to guess," said Richard Cassidy, Technical Director for Europe at Alert Logic. "The challenge is Cyber Criminals are well aware that many of their targets still fail to employ a strong password policy and as such will “pre-load” their dictionary attacks for brute-force access with the combinations listed; which in turn means almost instant access to a substantial number of users personal data. Passwords such as these are dangerous because they are the first attempted combinations in the arsenal of attackers brute-force access tools."
"Unfortunately however, even with complex passwords we are almost fighting a losing battle; this is because cyber criminals can access botnet ecosystems to crack encrypted files or password protected data (through hashes of the password, or direct brute force attack) or make use of underground “cracking rigs” that use GPU’s Processors in rigs that can quite literally attempt billions of combinations per second. This means your average 8 character password (mandated by many online systems today) can be cracked in days. A great deal of research has gone into the minimum password length recommended; all users should be choosing passwords of at least 12 characters (alphanumeric with special characters) that are completely random and that would challenge even the most sophisticated decryption rigs for service out there on the cyber criminal underground," he said.
Overall there are two approaches to protecting your data, says Cassidy. First is access to data stores (e-mail, social media, online file sharing) with a minimum of 12 character passwords and second, encrypted key data files with strong cipher algorithms.
Part of the challenge is devising and managing passwords, says Andy Green, Technical Specialist at Varonis. “People are bad at coming up with their own passwords," he said. "For convenience, we make them obvious or short or both. Hackers are good and getting better all the time at breaking them, either though brute force guessing or dictionary-style attacks if the hackers have access to the password hash. Keep in mind that a password with only six characters can be one of around 200 billion combinations – not a large number in the current era of big data. By increasing your password by only two characters, you’ve increased the possible combinations to almost a quadrillion – which will result in a serious computation challenge for attacker.
He has some tips. "Sure, you should have at least 8 characters, but better yet use the ‘correct horse battery staple’ method. What’s that? Essentially, it’s a memory trick where each letter of the password represents a word in a story. So ’I just wrote a comment about passwords for the press’ becomes ‘Ijwacapftp’. That’s an unguessable password for hackers but one that you’ll never forget!”