World Password Day 2022: What’s Old is New Again
Another year, another World Password Day. Almost 10 years old now, World Password Day was designed to drive awareness about the importance of having strong passwords to protect sensitive information. Despite passwords having been used for decades, they remain a hot topic amongst security professionals and users alike due to their importance for security and impact on business agility.
While most people at least say they understand the importance of passwords, it’s still shocking to see statistics around common passwords used. According to a cybernews article by Bernard Meyer, the most commonly used passwords around the world show a shocking lack of originality.
Coming in at number one is the evergreen “123456”, while the second-most popular string ups the ante significantly with “123456789”. Lest you worry that perhaps the top ten are all number strings, fret not dear reader. Entries three and four are “qwerty” and “password” respectively. While it’s nice to see users pushing the envelope in terms of creativity, the pendulum must always swing back to its other apex, which brings us to the fifth most common password, “12345”.
The rest of the list carries on much as you would think, finishing off with a resounding crescendo of “1234567890” in tenth place. It’s almost art.
Last year, we asked our Threat & Attack Simulation (TAS) team what some of the most common passwords–not already on top ten lists–they run across in their engagements are, and they gave us the following list of passwords they say “work in almost all cases that they come across”:
| <Season><Year>! (Spring2021!) | P@ssw0rd |
| <Season><Year> (Spring2021) | <CompanyName>1 (Acme1) |
| Password1 | <CompanyName>123 (Acme123) |
| Password123 | Welcome1 |
When the above passwords don’t work, the team usually starts trying local sports teams, such as
- Patriots2021
- Lightning2021
- Yankees2021
We spoke with our own CISO and head of our GRC practice, Gary Brickhouse, as well as Ed Dunnahoe, Practice Director for GuidePoint’s TAS team, for their thoughts and recommendations:
Q: What are some tips you would recommend to users and organizations as far as password best practices?
Brickhouse: I think the standard advice–if you look at the industry and what we’re required to do today, based on compliance drivers and regulatory requirements–is to have strong, complex passwords. However, the challenge to consider is that users have more passwords than ever to remember and are typically required to change them regularly while following other rules like not using X number of your last passwords. It leaves users suffering from password fatigue. So inevitably, you have users who end up leveraging overly simple passwords–often changed just enough to barely meet the complexity requirements–that are often easily guessed. So what can organizations do? At a minimum, offer users a password manager to help generate and store passwords across multiple devices. More broadly, investing in a single sign-on solution can significantly reduce the number of passwords end users have to remember in your environment.
Dunnahoe: Many people have historically seen “strong” passwords as meaning they need to have an incomprehensible jumble of special characters that turn it into something that you have no hope of remembering. The tools used for cracking passwords with modern hardware can blow through every possible eight-character combination in minutes or hours. However, when you bump that up to nine characters, we’re talking about likely hours or days. Ten-character passwords may take days or weeks, and so on. Each additional character that is added creates an exponential increase in the time it takes to brute force. Now, that being said, there are plenty of 25- and 30-character passwords out there that are very easy to guess, so an attacker seldom has to rely on a brute-force attack to retrieve passwords.
Of course, a single, 30-character jumble is almost impossible to recall, let alone trying to remember a unique can of alphabet soup for every service. There’s a balance between complexity, length, and not making it something easy to guess. The way I personally manage my passwords is to use a password manager that just generates all of my passwords for me, and they’re nothing but gibberish. I don’t actually know probably 90%+ of my passwords. There are so many different logins to maintain these days that it’s unreasonable to expect anyone to use a unique and strong password for each of them while still being something memorable. Many password managers will actually tell you that you’re using the same login for several different accounts or if some of your passwords have appeared in recent breaches. That’s what I would consider the ideal state, using a password manager to generate those passwords for you and store them securely. If you don’t have a password manager and you don’t have the means to acquire one, then I would say using passphrases is the safest way to go.
Q: Sometimes when I’m online creating a new account somewhere, it offers up a suggested password. Is that something that users should probably accept? And can you access that password across different devices like mobile, an iPad, etc.?
Dunnahoe: A lot of times the browser suggests and will offer to save those passwords, but using the browser to store your passwords may not be the greatest idea if you have access to a password manager. Password managers are purpose-built to keep that information safe. Historically speaking, browser-stored passwords have been far less protected than those in a reputable password vault. That being said, saving your passwords in a browser is probably still better than writing them down in a book or on a sticky note somewhere, especially if it results in you using stronger passwords. Some web applications themselves will suggest a strong password, and in many cases those are probably fine. Still, they’re typically too complex to remember, so we’re back to the problem of how to store them securely.
Q: End-users can’t possibly remember all of the passwords if they use robust passwords, so what technology exists to help users and security professionals manage this challenge?
Brickhouse: As mentioned before, password managers are the easiest solutions to deploy and manage. Users must have the ability to generate complex passwords that are unique for each of their applications. From an attack perspective, password reuse is a key attack vector. When one account is compromised, attackers can leverage and use those same credentials to access other systems or applications. Password managers and using different passwords for each application and authentication need is key.
That being said, we are seeing a rise in passwordless solutions coming to the market, most often using strategies similar to those that end users are already used to–whether that’s biometric, token based solutions or MDM solutions that tie into your mobile devices. As this becomes more readily available, this will make life a lot easier for end users.
Dunnahoe: Password managers are currently the most widely accessible solution to this problem, in my opinion. There is also fairly strong adoption and acceptance of passwordless options like biometrics, as evidenced by fingerprint readers on many mobile devices and modern laptops. There are other biometric solutions in more limited use, like facial recognition and retina scanners, but those still seem to be trying to shake a stigma with many users because of the perceived privacy implications. Mobile devices, wearable devices like watches, and devices such as Yubikeys are examples of accessible pieces of technology that have reached a level of user-friendliness and ubiquity that they can also now be heavily relied on to supplement and strengthen authentication.
Q: Gary, How do you see password requirements evolving in the standards and regulatory space?
Brickhouse: I think we really need to take a look at each aspect of traditional password controls, such as periodic password changes and password complexity requirements, and determine if these controls are acutally driving the desired outcome and lowering the overall risk to the organization. NIST has done a great job of challenging traditional password rules because they see the same reality. For example, forcing periodic password changes often results in users practicing bad behaviors around password management, because let’s be honest: it’s a pain to have to change your password every few months and have it be something complex, but also something that you can remember. I love that there serious attention is being given to improving the standard traditional password guidelines to lower risk while being more user-friendly. As mentioned, some great solutions are coming that will help, but we’ve got to get better in the interim.
Q: Ed, How do you see security evolving around passwords?
Dunnahoe: Even with the growth of zero-trust and IAM solutions, at the heart of many of them, a user still uses a password as at least one component of authentication. There is support for stronger mechanisms such as certificate-based authentication that can perhaps replace passwords at some point, but many different websites are still working on built-in support for basic multi-factor authentication. So I think wide adoption of a certificate-based solution will take some time, and it will most likely only be accessible by corporate users for longer still.