The new year usually brings new intentions and often changes to old habits. But it seems that old habits die hard, especially when it comes to changing our passwords. According to SplashData’s list of the worst passwords of 2015, it’s the same old story. Highlighting the insecure habits of users, once again ‘123456’ and ‘password’ rank as the most commonly used passwords — just as they have since the company’s first list in 2011.
It seems incredible that people continue to put themselves and their personal data at risk, especially after a year of increasingly high profile attacks on consumer sites like TalkTalk and Ashley Madison.
Apparently some new and longer passwords made their debut on the list, which is compiled from more than 2 million leaked passwords during the year, suggesting that some, at least, are trying to be more secure. But simply adding digits — so 123456 has evolved to 1234567890 — to make them longer is pointless. Almost as pointless as changing the ever-popular ‘password’ to ‘passw0rd’ (with a zero replacing the ‘o’).
The UK Government realised last year that good password hygiene is now fundamental for businesses, launching its ‘Password Guidance’ to help systems administrators responsible for determining password policy. The guidelines provide advice to help reduce the pressure on users, such as generating appropriate passwords and coping with password overload.
But as the SplashData report illustrates, and as accountancy firm KPMG reiterated at the start of the year, passwords are broken. KPMG went as far as to say that passwords are “one of the weakest links in our security chain” and this is no exaggeration.
We know that passwords are fundamentally weak, easy to hack, and as Centrify’s own ‘password rage’ survey showed last year, the cause of extreme frustration. We are being forced to come up with increasingly complex, long and sophisticated passwords to get into our online accounts, while at the same time, trying to avoid the temptation and risk of using the same ones time and time again.
With Mobile World Congress coming up at the end of the month, we can expect to see security high up on the agenda when it comes to taking advantage of mobile technologies. Using passwords on mobile devices is neither practical, nor popular and further complicating that process with overly long and complex passwords will simply turn users off — and may ultimately impact the use of business applications on mobile devices. Rather than complicating matters, we need to enable organisations to use mobile devices productively and easily — by taking care of both the user and the device — without compromising on security.
Could 2016 be the year when we make real progress in changing the way we use and work with passwords? It’s unrealistic to predict the demise of the password, and it will be some time before they are consigned to the ‘has been’ bin of security, but as we continue to bang the drum about more secure authentication methods, like multi-factor authentication, context-based authentication and biometrics, we could actually see real progress in the next 12 months.
For more information on the evolving risk landscape, view the on-demand webcast, Trends Disrupting the Security Market featuring IDC’s Rob Westervelt and Centrify’s Cathy Lemeshewsky.