People are often considered to be the weakest link in any security system. You can build the world’s strongest lock, only for someone to absent-mindedly leave the door wide open; you can build the world’s most advanced intruder alert system, only for someone to forget to turn it on; and you can give people simple tools, such as passwords, to help them protect their data, and they still manage to mess things up.
In its 2012 Global Security Report, Trustwave revealed that 5% of all system passwords include the word ‘password’, while the most common password on business systems is ‘Password1’.
Computer systems often require that users introduce some complexity into their passwords, which can include mandatory inclusion of numbers and capital letters into the mix. It seems that some users are taking this a bit literally, and instead of conceiving of a more fiendish password concoction, they’re opting instead for the most obvious solution to meet the bare minimum requirements.
Trustwave used a $1500 computer and publicly available tools to try to crack over 2.5 million passwords, and within ten hours had succeeded in identifying over 200,000 of them. CNN Money also highlighted information from Verizon, which revealed this week that in 29% of the security breaches that it has investigated over the last twelve months, weak or easy-to-guess passwords were a factor.
Security researcher Dan Kaminsky commented on these findings: “The fundamental win of the password over every other authentication technology is its utter simplicity on every device. This is, of course, also their fundamental failing.”