... At least according to a recent report posted by the password manager firm NordPass.
NordPasses 2024's Top 200 Most Commonly Used Passwords list reflects the sad truth that many people don't take password security seriously and believe codes like "123456" are acceptable. Then some figure, "Hey, the bad guys will never figure it out if I add a couple more digits", and use "123456789". Finally, we have those who seemingly just gave up all hope and used "password".
For the record, NordPass listed these as the first, second, and fourth most used passwords. Surprise, surprise, "12345678" was third. NordPass noted a threat actor could guess or brute force attack the top 27 most used passwords on its list in under a second.
NordPass culled this data from a 2.5TB database extracted from various publicly available sources, including those on the dark web. No personal data was acquired or purchased to conduct this study. The data came from 44 countries that attackers stole via malware or exposed in data leaks.
Sorry for using an unusual level of sarcasm, but it's hard to write this without rolling one's eyes at how easy some people make it for cybercriminals to steal their data and possibly gain access to their employer, thus jeopardizing their jobs and clients.
Poor password hygiene choices are particularly scary, considering that NordPass noted the top 10 most common personal and corporate passwords are nearly identical.
Even worse, this situation is not improving.
"After analyzing 6 years' worth of data, we can say there hasn't been much improvement in people's password habits. So, despite many organizations' efforts to spread awareness, the problem is still as prevalent as ever," the company said.
Trustwave and NordPass each offer simple advice anyone can follow to instantly improve their cybersecurity posture.
The most obvious solution is to simply enhance a password's complexity. Trustwave researchers noted that a password consisting of only eight characters can be easily cracked in just one day using brute-force techniques and tools. However, increasing the password length to 10 characters significantly increases the cracking time hundreds of years. Adding password complexity, including symbols, numbers, and a mix of uppercase and lowercase letters, further enhances its strength and makes it even more difficult to crack.
We know it's not easy to remember "dlkjskljfo8w!$^@@" as a password, so make it easier on yourself and embrace passphrases. A passphrase can be a favorite song lyric, a historical quote, or something you say to your kids like "Rakingleavesbuildscharacter."
If you are not certain your password or phrase is strong, there are tools that can be found here and here. According to the information provided by these tools, it would take centuries to crack our password example.
Next, it is crucial to change passwords regularly, typically every 60 to 90 days, depending on the sensitivity of the account. This practice helps prevent unauthorized access, especially if a password has been compromised. It is essential to avoid reusing passwords across multiple accounts to ensure maximum security.
Implement salt and hash. IT administrators should utilize unique and random "salts" when hashing stored passwords. These salts, which are random pieces of data combined with each password before the hash is calculated, add an extra layer of security to password storage.
As noted earlier, people tend to use the same password, whether on their personal or work devices. The good news is that an employer can enforce strong password policies. These policies should include password complexity requirements and ensure they do not include pertinent information about the company itself that might make them easier to hack, such as "Nike12345".
Companies should regularly perform password audits to identify weak links within their systems. Attackers often target non-tech-savvy users, making them vulnerable points of entry. Companies can enhance their overall cyber defense posture by identifying and addressing these weak links.
In addition to audits, organizations, and individuals can check if their credentials or email address has been compromised by using sites such as https://haveibeenpwned.com/.
Finally, and most importantly, everyone should use multi-factor authentication (MFA). MFA provides an additional layer of defense by requiring a second form of verification alongside passwords. This technology, such as tokens or codes sent to a user's phone, acts as a reliable safeguard even if the password is compromised. Incorporating two-factor authentication also significantly enhances security.
While the state of password security remains concerning, as we have noted, there are practical steps to take to protect ourselves and our organizations. By adopting stronger, more complex passwords, utilizing passphrases, changing passwords regularly, implementing robust corporate policies, and enabling MFA, we can significantly enhance our defenses against cyber threats. Taking these measures not only safeguards personal information but also protects the integrity of corporate systems, ensuring a more secure digital environment for everyone.