Given that passwords are on the front line of defence in the security of corporates and individuals, it’s mind-boggling how elementary some people’s passwords are. Recent research by the UK’s National Cyber Security Centre (NCSC), discovered the frequency of use of some of the worst passwords. Topping the list is “123456” with an incredible 23.2 million victim accounts worldwide using this most perfunctory of passwords.
Trailing in second place with a mere 7.7m victim accounts was “123456789”, with “password” sitting in fourth place with a score of 3.6m, slightly behind “qwerty” with 3.8m. Not one of the passwords in the top ten would give your average hacker a sleepless night, with gems like “111111” and “abc123” being used by millions of people.
Why are you only as good as your weakest password?
While it’s true that most organisations have more stringent authentication procedures in place, many still rely on passwords. And for those that do, their security defences are only as good as the employee with the weakest password. Last year, more than 81% of data breaches were the result of weak or stolen passwords, with 28% of data breaches occurring at SMBs.
So for all those businesses out there, in the same way that almost one-third of a million victim accounts have “superman” as their password, don’t be surprised if co-workers in your organisation are also using something on this list.
Almost 40% of hacks involve weak or stolen passwords…
So, given that passwords are really the weak link, it’s little wonder that 37% of cyber attacks on corporate networks involve weak or stolen passwords. Hackers know that if a business relies solely on passwords for securing remote or cloud access, it shouldn’t take them that long to gain entry. Many employees have business cards, containing email addresses, which are most people’s user names. From there, it’s just a matter of patience on behalf of the hacker to conduct a dictionary attack or just perform a simple phishing attack and gain unfettered access to company systems, as Twitter recently discovered.
Two factor doesn’t cut it – why you need MFA…
The lesson is that you certainly can’t rely on passwords. And you can’t really rely on traditional two-factor authentication either, as token-based authentication is susceptible to being hacked using simple phishing.
Multi-factor Authentication (MFA) is now the way forward for any IT or security professional worth their salt. MFA, in a nutshell, requires users to go through multiple steps to ‘prove’ they are who they say they are. While there are multiple ways this can be done, it involves something the user knows (like a password), something they have (like a token or a phone), and something they are (like a fingerprint). If the response to all the different factors is correct, that user can log in.
As hackers get more persistent, you have to get more vigilant. It’s as simple as “12345.