Despite All of the Breaches, Why Aren't Passwords Getting Any Stronger?

Security companies like ours offer an assortment of technologies and services that organizations can use to protect their data and mount a defense against attackers. It's an essential part of the fight. But security doesn't only have to be about nifty software and shiny boxes.

Did you know that something as simple as forcing users to pick strong passwords can mean the difference between a successful breach and a hacker turning around and looking for a more inviting target?

It's true. According to the 2014 Trustwave Global Security Report, weak passwords helped fuel 31 percent of the nearly 700 data breaches we investigated last year. Weak or default credentials enable hackers to not only easily penetrate a network, but also propagate once inside. When you think about it, that number is astounding for something as simple as adding a few more characters, mixing in some alphanumeric ones and choosing a phrase instead of a word.

Yet the beat goes on. Last year, our SpiderLabs researchers discovered a criminally controlled "Pony" botnet server that contained roughly two million stolen account credentials belonging to the users of some of the web's most popular websites, including Facebook, Twitter, LinkedIn and Google. Going back even earlier, we came across other Pony botnet instances. When we put together our 2014 Global Security Report, we decided to tally up the entire cache of stolen credentials and determine which ones were the most popular.

Taking the prize was "123456," followed by "123456789" and "1234." Letters finally turned up in the fourth-most used password, which coincidentally (or not) was "password."

What we discovered is that - like we explained in our 2013 Global Security Report - users (and even IT administrators) aren't getting much better at selecting complex passwords.

When your employees use poor password practices, they are leaving themselves, and your business, wide open to even the most amateur hackers, who can turn to freely available password cracking software that requires little to no experience. Passwords once thought to be complex enough to make cracking improbable are now able to be reversed in just hours or minutes.

Here are four things organizations should keep in mind when it comes to passwords:

  • Encourage, or better yet require, the use of longer passwords - those that contain up to 10 characters could take a hacker years to crack.

  • But even longer passwords that include common patterns or words can still be cracked. That's why it's important to make passwords long and non-memorable.

  • Use a passphrase instead of a password - these contain multiple words that create a phrase ("thisisthebestsecretpassword") and are typically long enough to make cracking difficult, even without the use of special characters, although throwing in an extra exclamation mark or dollar sign wouldn't hurt.

  • Businesses should also deploy two-factor authentication for employees who access the network. This forces users to verify their identity with information other than simply their username and password, like a unique code sent to a user's mobile phone.






Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.