Users with weak passwords are the primary security vulnerability within many organizations IT infrastructure. Users generally forget passwords fairly regularly unless the password is something easy to remember or pertinent to them. This method for generating passwords makes them susceptible to dictionary attacks.
A recent report by the DB Security Company Imperva based on 32 million passwords exposed from the rockyou.com security breach has highlighted patterns and the most popular passwords used. The full report is available here.
The Top Ten Common Passwords
The Top Ten common insecure passwords are:
- 123456
- 12345
- 123456789
- Password
- iloveyou
- princess
- rockyou
- 1234567
- 12345678
- abc123
Key findings:
- About 30% of users chose passwords whose length is equal or below six characters.
- Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
- Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”.
The effect to businesses
Even though Microsoft are trying to enforce password policies in the design of their Active Directory infrastructures, many IT Administrators are disabling these features at the request of management. This is causing major vulnerability.
In our market place, the Microsoft Small Business Server is key to many SME network deployments, and features such as Remote Web Workplace, Outlook Web Access and VPN access are enabled for many users.
The flaw to this is that in an SME environment the number of users is small, and as such usernames are generally easy to guess as many companies use just First Names as the username. It’s much easier for a hacker to attempt a brute force attack on First name combinations rather than the more complex First name Last Name permutations.
For example, the username of “chris” who has a password of “123456″ or “Password” is going to be very easy to break. If Chris happens to be at Director level, there is going to be no end of information that can be accessed by the hacker.
Our Recommendations for Usernames
So our recommendation in a business domain is that usernames are based on a pattern that is not directly related to First Names, but either has a prefix or is based on First name and Last Name to infinitely increase the username possibilities. If you’re signing up to a web site that shows a “Screen” or “Nick” name, ensure this is different to your username.
Our Recommendations for Passwords
Using passwords based around your name, family, or words found in a dictionary are not secure as these are the basis for simple dictionary attacks. Many websites now offer a scale of complexity when signing up provide a guide to users about their passwords. It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;” If there is only one letter or special character, it should not be either the first or last character in the password.
So to sum up, in a business and web environment it is important that both your usernames and passwords are designed to increase complexity to reduce the effectiveness of a Brute Force attack, and never use one of the passwords listed above.
