‘Password1' and 'password' among the most popular passwords

People are often considered to be the weakest link in any security system. You can build the world’s strongest lock, only for someone to absent-mindedly leave the door wide open; you can build the world’s most advanced intruder alert system, only for someone to forget to turn it on; and you can give people simple tools, such as passwords, to help them protect their data, and they still manage to mess things up.

In its 2012 Global Security Report, Trustwave revealed that 5% of all system passwords include the word ‘password’, while the most common password on business systems is ‘Password1’.

Computer systems often require that users introduce some complexity into their passwords, which can include mandatory inclusion of numbers and capital letters into the mix. It seems that some users are taking this a bit literally, and instead of conceiving of a more fiendish password concoction, they’re opting instead for the most obvious solution to meet the bare minimum requirements.

Trustwave used a $1500 computer and publicly available tools to try to crack over 2.5 million passwords, and within ten hours had succeeded in identifying over 200,000 of them. CNN Money also highlighted information from Verizon, which revealed this week that in 29% of the security breaches that it has investigated over the last twelve months, weak or easy-to-guess passwords were a factor.

Security researcher Dan Kaminsky commented on these findings: “The fundamental win of the password over every other authentication technology is its utter simplicity on every device. This is, of course, also their fundamental failing.”

Report a problem with article
Previous Story

Google ‘Assistant' to take on Apple's Siri later this year

Next Story

First Halo 4 screenshots leak, ahead of Microsoft reveal

37 Comments

Commenting is disabled on this article.

Whoever invents the passive password system that actually works is going to be a billionaire...and rightly so. I use a form filler and still find it annoying to enter three different questions to do any banking. I don't allow tracking so I have to login to everything and without a form filler I would go insane.

OMG! If only I had a pound for every single person I spoke to on a daily basis who's login details consist of "admin" and "password" or "password1" I'd be a very rich man indeed. I normally give them a rollocking about their lack of security and how vulnerable their network is to outside intrusions. I know this sounds a little harsh but anybody with a weak security, passwords and leaving default usename and password on the network deserve to be hacked.

I was asked before if I could set-up an unsecured VPN connection...? I point blankly refused outright which caused animosity. They couldn't understand why I said "NO"

It is the fault of the password systems. Every password system must insist on being 16 characters atleast, containing numbers and random symbols.

I prefer initialisms myself. Slow news day though, I suppose. This is a good default article for a slow news day.

TRC said,
Picard has no room to facepalm, those Enterprise self-destruct codes were pretty lame too.

True. but at least it's also voice recognition.

itsbg said,

True. but at least it's also voice recognition.

yep 2 layers.

It's funny to see security expert blame passwords for security breach. One layer of security will never be totally secure.

If you really want your data to be secure better have at the minimum 2 layers of security.

lmfao. as long as there are security accesses requiring password. the password will always be password to some nincompoops.

You mean its no longer Love, Sex, Secret and God ?

I need to update my techniques

To be fair we have complexity settings where I work but they are so oddball that when I come to change my password each month it doesn't let me change it to a crazy password combination but it will let me use password1 every other month. Good security

P.S. I work at your local bank, my login is: canIhazMonies

This is because, in the corporate world, IT security is far too strict.

In many places I've worked, users had to create new passwords every month and they couldn't be ones that have been used before. That's difficult. After a while employees can't remember what their current password is so they default to a simple system like "Password1" "Password2", or something like "XXJanuary" "XXFebruary".

At the other extreme there are IT Managers that require complex combinations such as a capitalised letter, a number and a symbol all in the one password, that has to be at least eight characters long. Employees can't remember such complex password, and that goes doubly when they are issued a random password from IT. So what do the employees do? They write it on a post-it note and stick it on their monitor. And then those high-tech complicated passwords become no match for the post-it note decryption system.

There is a middle ground and a lot of IT Managers are too stupid to see it. Let your employees create their own password. And make it complicated that it does require a mix of capitalised letters, numbers and perhaps a symbol. But make it only require 6 characters. And don't make it have to be replaced every month. Your employees will then use their creativity to make a word they remember that contains those security features.

Surely that has to be better than the overly complicated and thus failing attempts going on at the moment.

Steeley said,
This is because, in the corporate world, IT security is far too strict.

In many places I've worked, users had to create new passwords every month and they couldn't be ones that have been used before. That's difficult. After a while employees can't remember what their current password is so they default to a simple system like "Password1" "Password2", or something like "XXJanuary" "XXFebruary".

At the other extreme there are IT Managers that require complex combinations such as a capitalised letter, a number and a symbol all in the one password, that has to be at least eight characters long. Employees can't remember such complex password, and that goes doubly when they are issued a random password from IT. So what do the employees do? They write it on a post-it note and stick it on their monitor. And then those high-tech complicated passwords become no match for the post-it note decryption system.

There is a middle ground and a lot of IT Managers are too stupid to see it. Let your employees create their own password. And make it complicated that it does require a mix of capitalised letters, numbers and perhaps a symbol. But make it only require 6 characters. And don't make it have to be replaced every month. Your employees will then use their creativity to make a word they remember that contains those security features.

Surely that has to be better than the overly complicated and thus failing attempts going on at the moment.

I agree with you 100%. Passwords are getting WORSE because of the steps these IT departments and such are taking rather than better. It's absolutely ridiculous. And on that note as well, some things just do NOT require a password. We have a program at our office that allows us to write estimates... Surely, as this program contains absolutely no valuable information, it doesn't need a password... Least of all one that changes every month and can't reuse the last 10 passwords... Sometimes IT is it's own enemy.

I'm not against demanding complexity in passwords. But, it would be nice to set a standard across the board when dealing with website user passwords.

I deal with a large number of vendors. Each has it's own set of rules...some have no special characters or no numbers, or 1 or more capital letters or no capital letters, etc. I now need to resort to logging all of these down.

Rohdekill said,
I'm not against demanding complexity in passwords. But, it would be nice to set a standard across the board when dealing with website user passwords.

I deal with a large number of vendors. Each has it's own set of rules...some have no special characters or no numbers, or 1 or more capital letters or no capital letters, etc. I now need to resort to logging all of these down.

I agree. Then you have those truly ridiculous sites that GIVE you a password. God I hate that.

Nashy said,
All user accounts on my server must be a minimum strength of 80. My personal passwords are no different.

A strength of 80 on what scale?

Partly that's because every f*ck on the internets wants me to register on their stupid thingamajig site before I even know if that's indeed what I'm looking for. I'm gonna get my file (or article) and then get my coat and never come back! Screw yourself!
The vast amount of raw crud shoved down people's throats make them deliberately ignorant of any security precautions - unique passwords, high entropy and like.

You've got to give credit for Facebook to simplifying the registration process, which is supported on a lot of websites. There's simply no way that I can remember a different password for every website and even when I use the same password there are still numerous sites that place arbitrary restrictions on characters, like Blizzard's Battle.net.

Windows 8 is meant to include a password database that can automatically store passwords so that they can be unique for each website. Obviously it is a potential security risk but certainly no more than people using "password" or "Password1". And Google Chrome stores passwords as well, which is a HUGE time saver for me. Love that feature, though not great from a security perspective.

Are there REALLY that many people with no imagination, creativity or intelligence, in the world?

Never mind, I KNOW that answer!!

There's been a few articles on here over the last couple months about this and with all the common one's ever shown, NONE of those have even remotely crossed my mind to use.

As it has been for a very long time. People will learn when the lose something valuable. When that happens, I have no sympathy.

Daedroth said,
As it has been for a very long time. People will learn when the lose something valuable. When that happens, I have no sympathy.

2 or more years ago, I'd have taken a very soft stance on this, saying "Users just don't know" and so on.
But that's BS. There are mainstream enough news stories, enough instances of mainstream services being compromised that users should be aware now. People who wouldn't dream of setting their Credit Card PIN to 0000 seem to feel comfortable with "password" do 100% deserve all they get these days. Sometimes the only way to learn a lesson is the hard way.

nik louch said,

2 or more years ago, I'd have taken a very soft stance on this, saying "Users just don't know" and so on.
But that's BS. There are mainstream enough news stories, enough instances of mainstream services being compromised that users should be aware now. People who wouldn't dream of setting their Credit Card PIN to 0000 seem to feel comfortable with "password" do 100% deserve all they get these days. Sometimes the only way to learn a lesson is the hard way.

Agreed. The only times i use password1 or password is when im signing up to some site I just wanna check out haha (ones that require you to login to see stuff)

Daedroth said,
As it has been for a very long time. People will learn when the lose something valuable. When that happens, I have no sympathy.

Absolutely. It's truly bizarre that people would even do this. I wonder if the prevalence of this in business isn't because of the mentality that "it's not [my] computer so it doesn't affect me"... I've certainly seen enough of this over the years. It's almost malicious.