We’ve done it again. According to the list of the worst passwords of 2015 recently published by the developer of security software Splashdata, we have repositioned “123456” at number 1 of the most used passwords in a collected from more than two million list passwords.
At first glance makes you want to take the list to laugh, because I really cannot believe that at this point there are still people using “123456” or “password” as a password to protect important things like email or online access to the bank. But if we look Splashdata reports from other years and analyze a bit the trend, we see the issue is quite serious.
How the list is made
SplashData, creator of SplashID password manager, takes five years developing this annual report. And not fail: every year shows that people, despite the dangers that this entails, continues to use passwords that compromise their online safety.
To get an idea, in a document compiled from the results of these five reports, Splashdata lists some of the trends in passwords. For example, in the US alone, companies lost 37,000 billion on issues related to data breaches in 2015. While both, one third of users use the same password on different websites, and up to 10% using the same for all online services which is registered.
When creating your report, Splashdata obtains data from dumps text in forums and other sites over the past twelve months, obtained through attacks or through security holes in servers. From these data, draws up a list of the 25 most common passwords – which, therefore, are also the worst, because it is never wise to use a password “known”.
The ultimate goal of these annual reports Splashdata is to make users aware of the importance of choosing a secure password, and to use a different one for each site to avoid the “cascade effect” if one of the services we use is the subject an attack. But according to the results, there is still a way to go .
Why are we still using “123456”
The report this year includes “123456”, “password” and “12345678” as the three worst passwords of 2015. The first two have not even changed from last year, where they repeated classification with “12345” as a third classified, and in 2013 the three reoccupied exactly the same three positions this year. In 2012 and 2011, finally, “123456” and “password” simply swapped positions itself as the first and second password list.
That is, for five years these two passwords are consistently the two most used, which is no less worrying because a trend toward improvement is seen. Year after year, we continue to use them, just as easy, as dangerous. And with the amount of news about attacks, password leaks, vulnerabilities, phishing and so on, how can these people their passwords are not taken seriously?
Carlos Roberto and William Julian, two editors with extensive experience in these issues, respond with some clues: “Most users all they want are the convenience of easy to remember addition, many websites ask for a password minimum. 6 to 8 characters, and there ‘123456’ or ‘password’ fit perfectly, “says Carlos. Guillermo adds that “there is no safety awareness, people still think that they are not going to happen.”
Meanwhile, Pablo Gonzalez, Technical Business Manager of Eleven Paths, agrees the comfort factor: “For many users, when a system makes you set a password to protect your digital identity, you are putting on a commitment for this reason many users are looking for simple and easy to remember passwords”
An expert on cybercrime of state security bodies with which we have contacted also defends the theory that the majority of the population lacks sufficient awareness about their Internet security:
As people usually use the computer, mobile phone or tablet at home or in spaces considered safe by extension you believe that use in this context are also safe. If to this we add the ignorance (of the majority) of Internet users how the network operates, it makes people not take it so seriously the security of their devices and computer services as other areas of their life.
Education is the key
We said before that the objective of Splashdata with the publication of this report is to raise awareness, educate and somehow people in the use of strong passwords. And right there, in education, it is where the key is. Roberto Carlos talks even start from childhood, at school, and William Julian mentioned training courses and even advertising campaigns.
The problem is natural human resistance to change, and the user, as Carlos says, “prefer to live in the comfort of the false security of Internet to know that your password can be deciphered in less than ten seconds “( something which, moreover, certainly not known).
In fact, according to Pablo González, “the user only sees the danger when a security incident, such as a digital identity theft, results in something that directly affects“. It is a matter, therefore, be them aware that much of your personal information (name, documents, medical and financial data …) is just a click away, and anyone can get your password can access it. Good to do so, as Paul says, it is to show real examples of such cases.
Another important aspect to consider is the type of user. With access to Internet becoming easier, and the proliferation of connected devices, we found all kinds of people across the keyboard, from children to octogenarians.
Precisely users over 60 years and adolescents are at risk groups according to data from SplashData, something that coincides cybercrime expert we consulted: “Now there are many elderly people and young children using the network, and usually much more confident than others. They are also less worried about security and therefore can become potential victims of all types of computer crime”. They should therefore be the first to receive this much-needed basic training in security issues.
Are there prospects for improvement?
If we look at the five reports SplashData, the first conclusion is quite negative. But there are little things that nourish the hope of increasing safety awareness.
To begin, it is important to consider the percentage of users who use those passwords. According to the data handled Splashdata, of the more than two million users and passwords used to prepare the list of the worst passwords, only 3% of those 25 accounts filtered using passwords list. The percentage is consistent with figures from other years, but the overall trend is downward – that is, more and more people will pass strong passwords.
On the other hand, certain data list of this year suggests that people start to become aware of your online safety. For example, some longer passwords than average (10 characters) debut on the list, but are simply elongated versions of the simplest key (“1234567890” and “qwertyuiop”). In the words of CEO of SplashData, Morgan Slain, “We have seen the efforts of people to use more secure passwords longer making them, but are based on such simple patterns that are just as dangerous.”
Speaking again with Roberto Carlos and William Julian, the conclusions are clear: there are improvements in technology, but it takes more. “Authentication systems in two steps are a step forward,” says Carlos. “The problem is that there is a clash of interests, which interests the services that access is easy, (not so sure) and users do not care.”
Guillermo also mentions the importance of developing new methods of identifying safer, while processes are improved to detect intrusions and mitigate its consequences. In that respect, Carlos speaks of an important point: that of making security systems accessible to everyone, including users most basic level, “Many of the safety systems have to rethink that can be used for all types of users easily, but also with all necessary security measures. In this respect we have worked very little and it seems that the safety systems are designed for expert users, not for everyone.”
In the end, the best solution will be to combine minimal user training with the right tools to protect data on both sides: both the server where they stay, and access to them from our devices. In five years time we using “123456”; we’ll see what 2016 holds for us.