Happy Halloween and Happy National Cyber Security Month! Following on our scary cyber stories during October. Here’s a real life horror story that will make you afraid- very afraid- password security.
Rapid 7 a large PEN testing company sampled 130,000 passwords and here are the findings.
In this dataset, there are three extremely common passwords. The first is one that most people would guess, and that is “password.” To be fair, there are many variations of “password.” We see Password1, Password123, Password2, Password1!, and many others. If we are looking at specific passwords that follow this popular pattern, then Password1 is the most common. But due to the many variations, we can add them all up and see that these variations on “password” and some minor decorations are the most common password pattern, with 4,001 entries out of 129,812, or just about 3%.
The next password pattern may not be as obvious, but when you think about the thought process of the user, it makes sense. As mention above, the most common company password policy requires that people change their password every 90 days, which is about every three months. The other thing that changes every three months? The season. Many people have “invented” a system where they have a password that is easy to remember and never repeats by simply choosing the current season and appending the year. When looking at examples like Winter2018, Summer2017! and Spring16! We count a total of 1,788 passwords, or 1.4% of the total set.
The third password pattern isn’t a specific word, but it is the most common approach in the list: the organization’s name. When guessing passwords, one of the first patterns penetration testers will try are variations of the company’s name. We found a total of 6,332 instances of passwords that included the target company’s name, which works out to just under 5% of the total set. The base of these passwords includes the company name, but then the variations on it are similar to what we saw with “password.” Examples include Company123!, Company1, C0mp@ny1, and Company2018. So, while “password” is the most common password pattern base across our data set, decorating the organization’s name as a password is the most common strategy employed.
These percentages may not seem large, but keep in mind that a hacker might only need a single set of working credentials to gain access a network. If you have 100 users, then there’s a good chance that five will contain the company’s name, three will be based on the word “password,” and one or two will be the current season and year. Multiply these percentages out to the number of users a company has, and it increases the likelihood of a correct password guess in the absence of site-wide, username-agnostic rate-limiting.
If you aren’t sure how best to deploy a password strategy in your Business then please speak to KubeNet, we can help devise a password strategy and ensure your business stays protected.
For more information please get in touch email email@example.com or 0800 668 1266