An annual study of the most commonly used passwords has found that password, 123456 and 12345678 are still the most commonly used passwords – despite years of security experts urging people to change them to more secure versions.
“Just in time for Halloween comes something that might scare anyone who spends a lot of time online: SplashData’s annual list of the most common passwords used on the Internet and posted by hackers,” the researchers said.
“Users of any of these passwords are the most likely to be victims in future breaches.”
The latest list comes following 12 months of high profile hacks that have revealed user passwords.
Yahoo, LinkedIn, eHarmony, and Last.fm have all suffered major breaches.
However, some people have updated their passwords, and the research found new entries to this year’s list include “welcome”, “jesus”, “ninja” ,”mustang” and “password1”.
The firm behind the study, SplashData, warned users to change their password.
“At this time of year, people enjoy focusing on scary costumes, movies and decorations, but those who have been through it can tell you how terrifying it is to have your identity stolen because of a hacked password,” said Morgan Slain, SplashData CEO.
“We’re hoping that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites.”
SplashData’s top 25 list was compiled from files containing millions of stolen passwords posted online by hackers.
The company advises consumers or businesses using any of the passwords on the list to change them immediately.
“Even though each year hacking tools get more sophisticated, thieves still tend to prefer easy targets,” Morgan Slain said.
“Just a little bit more effort in choosing better passwords will go a long way toward making you safer online.”
HOW TO CHOOSE A SAFE PASSWORD
SplashData suggests making passwords more secure with these tips:
• Use passwords of eight characters or more with mixed types of characters.
• For example, “eat cake at 8!” or “car_park_city?”
• Avoid using the same username/password combination for multiple websites.
• Especially risky is using the same password for entertainment sites that you do for online email, social networking, and financial services.
SplashData’s top 25 list was compiled from files containing millions of stolen passwords posted online by hackers
MOST COMMON PASSWORDS
The Worst Passwords of 2012, including their current ranking and any changes from the 2011 list:
1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja (New)
24. mustang (New)
25. password1 (New)
Source: SplashData
A product that scrambles and then splits users’ passwords in two before storing them on different computer servers has been unveiled by RSA.
The security firm says the facility offers better protection against hackers, who would only gain access to half a “randomized” password in the case of a successful attack.
RSA said the idea had been discussed by academics for some time.
However, one expert said it would only prevent a minority of attacks.
RSA’s distributed credential protection (DCP) facility was announced at the company’s annual European Conference in London.
“DCP scrambles, randomizes and splits sensitive credentials, passwords and Pins and the answers to life or challenge questions into two locations,” said the firm’s marketing manager Liz Robinson.
“This is especially important in today’s landscape as we’ve seen over 50 million passwords stolen in large data breaches in 2012 alone.”
LinkedIn’s leak of 6.5 million passwords, Yahoo’s loss of more than 450,000 usernames and codes, and dating site eHarmony’s exposure of 1.5 million passwords are among this year’s highest profile cases.
In the case of LinkedIn and eHarmony, the breaches involved encrypted passwords – meaning that the hackers would have needed to decode their haul before being able to make use of it.
RSA aims to offer an extra level of protection by allowing its customers to re-randomize and re-split log-in data if they suspect a breach.
So, unless hackers manage to break into both associated servers before this step is taken, they would be unable to marry up and unscramble stolen information.
All of this would be behind the scenes, and a user logging into a site would still only have to type a single username and password into the appropriate interface.
Prof. Alan Woodward – a cybersecurity researcher who advises the UK government – said the idea had merit, but would only prevent a limited number of attacks.
“The original problem was that businesses were storing passwords in plain text,” he said.
“Firms dealt with that by using encryption, but some attacks are getting very sophisticated and have found ways to crack some of the older encryption techniques.
“RSA basically prevents this, but something like 80% of successful attacks result from phishing emails. So while RSA will stop smash and grab attacks on firms’ servers, the most successful kind of attack will likely remain people giving their passwords away.”
RSA said DCP would be made available before the end of the year.
It is set to cost about $150,000 per licence. RSA said that could be less than the cost of “an expensive lawsuit”, but it will put the product beyond the budget of many organizations.
RSA has itself been the victim of a hack attack. In 2011 the firm replaced millions of SecurID tokens after its own IT infrastructure was attacked. The devices offer a code that changes several times a minute, which must be used in addition to a password, offering an extra level of protection
RSA said the attack led to the loss of information about its authentication process, which was linked to a subsequent attack on one of its customers, defence firm Lockheed Martin.