Today is World Password Day. Born in May 2013, it’s designed to drive awareness about the importance of having strong passwords to protect sensitive information. Despite passwords having been used for decades, it remains a hot topic amongst security professionals and users alike due to its importance for security and impact on business agility.

While most people at least say they understand the importance of passwords, it’s still shocking to see statistics around common passwords used. In 2019, the United Kingdom’s NCSC analyzed public databases of breached accounts to see which words, phrases and strings people used. 

Top of the list? 123456, which appeared in more than 23 million passwords! 

The second-most popular string? 123456789!

Rounding out the top 5 were “qwerty”, “password” and 1111111

According to https://www.betterbuys.com/estimating-password-cracking-times/ here’s how long it takes to crack one of these passwords: 0.19 milliseconds

It’s almost too easy!

We asked our Threat & Attack Simulation (TAS) team what are common passwords that they run across in their engagements and here’s what they said… the first group of passwords work in almost all cases that they come across…

<Season><Year>! (Spring2021!)	P@ssw0rd
<Season><Year> (Spring2021)	<CompanyName>1 (Acme1)
Password1	<CompanyName>123 (Acme123)
Password123	Welcome1

When the above passwords don’t work, the team usually starts trying local sport teams, such as:

• Patriots2021
• Lightning2021
• Yankees2021

We spoke with our own CISO and head of our GRC practice, Gary Brickhouse, as well as Ed Dunnahoe, Practice Director for GuidePoint’s TAS team, for their thoughts and recommendations:

Q: What are some tips you would recommend to users and organizations as far as password best practices?

Brickhouse: I think the standard advice, if you look at the industry and what we’re required to do today, based on compliance drivers and regulatory requirements, is to have strong, complex passwords.  The challenge to consider though is users have more passwords than ever to remember and are typically required to change them on a regular basis while following other rules like not using X number of your last passwords.  It leaves users really suffering from password fatigue.  So inevitably, you have users who end up leveraging very simple passwords, often  or barely enough just to meet the complexity requirements – ones that are often easily guessed. So what can organizations do?  At a minimum, offer users a password manager to help generate and store passwords across multiple devices.  More broadly, investing in a single sign-on solution can significantly reduce the amount of passwords end users have to remember in your environment.

Dunnahoe: If you don’t have a password manager and you don’t have the means to acquire one, then I would say using passphrases is the safest way to go. A lot of people have historically seen “strong” passwords as meaning they need to have an unintelligible amount of special characters in it or otherwise turn it into something that you have no hope of remembering. The tools that are used for cracking passwords with modern hardware can blow through every possible eight-character combination in minutes or hours. However, when you bump that up to nine characters, then we’re talking about likely hours or days. Ten-character passwords may take days or weeks, and so on. Each additional character that is added creates an exponential increase in the amount of time it takes to brute-force. Now, that being said, there are plenty of 25- and 30-character passwords out there that are very easy to guess, so an attacker seldom has to rely on a brute-force attack to retrieve passwords. 

There’s a balance between the complexity and length concept and not making it something that’s easy to guess. The way I personally manage my passwords is to use a password manager that just generates all of my passwords for me, and they’re nothing but gibberish. I don’t actually know probably 90%+ of my passwords.  There are so many different logins to maintain these days that it’s unreasonable to expect anyone to use a unique and strong password for each of them while still being something memorable. Many password managers will actually tell you that you’re using the same login for several different accounts or if some of your passwords have appeared in recent breaches. For these reasons, the ideal state is using a password manager to just generate those passwords for you and store them securely.

Q: So oftentimes when I’m online creating a new account somewhere, and it offers up a suggested password… is that something that users should probably do? And can you access that password across different devices like mobile, an iPad, etc.?

Dunnahoe: A lot of times the browser suggests and will offer to save those passwords, but using the browser to store your passwords may not be the greatest idea if you have access to a password manager. Password managers are purpose-built to keep that information safe.  In the past, relatively speaking, browser-stored passwords have been far less protected than those in a reputable password vault. That being said, saving your passwords in a browser is probably still better than writing them down in a book or on a sticky note somewhere, especially if it results in you using stronger passwords. Some web applications themselves will suggest a strong password and in many cases those are probably fine, but they’re typically too complex to remember, so we’re back to the problem of how to store it securely. 

Q: End users can’t possibly remember all of the passwords if they are using truly strong passwords, so what technology is out there to help them and security professionals manage this challenge? 

Brickhouse: As mentioned before, password managers are the easiest solutions to deploy and manage.  It is critical for users to have the ability to generate complex passwords that are unique for each of their applications.  From an attack perspective, password reuse is a key attack vector. When one account is compromised, attackers can then leverage and use those same credentials to access other systems or other applications.  Password managers and using different passwords for each application / authentication need is key.

The good news is we do see a rise in passwordless solutions coming to the market, most often using similar strategies end users are already used to – whether that’s biometric, token based solutions or MDM solutions that tie into your mobile devices.  As this becomes more readily available, this will make life a lot easier for end users. 

Dunnahoe: Password managers are currently the most widely accessible solution to this problem, in my opinion. There is also fairly strong adoption and acceptance of passwordless options like biometrics, as evidenced by fingerprint readers on many mobile devices and modern laptops. There are other biometric solutions in more limited use like facial recognition and retina scanners, but those seem to still be trying to shake a stigma with many users because of the perceived privacy implications. Mobile devices, wearable devices like watches, and devices such as Yubikeys are examples of accessible pieces of technology that have reached a level of user-friendliness and ubiquity that they can also now be heavily relied on to supplement and strengthen authentication.

Q: How do you see password requirements evolving in the standards and regulatory space?

Brickhouse: I think we really need to take a look at each aspect of traditional password controls . such as periodic password changes and password complexity requirements and determine if these controls are really driving the desired outcome and actually lowering the overall risk to the organization.  NIST has done a great job of challenging traditional password rules because they see the same reality.  For example, forcing periodic password changes often results in users practicing bad behaviors around password management… because let’s be honest, it’s a pain to have to change your password every few months and have it be something complex, but also something that you can remember. I love that there is serious attention being given to improving the standard traditional password guidelines to lower risk while being more user friendly.  As mentioned, there are some great solutions coming that will help but we’ve got to get better in the interim.  

Q: How do you see security evolving around passwords?

Dunnahoe: Even with the growth of zero-trust and IAM solutions, at the heart of many of them, a user still uses a password as at least one component of authentication.  There is support for stronger mechanisms such as certificate-based authentication that can perhaps replace passwords at some point, but many different websites are still working on building in support for basic multi-factor authentication. So I think wide adoption of a certificate-based solution will take some time and it will most likely only be accessible by corporate users for longer still. 

Great advice from two cybersecurity experts looking at this issue from the perspective of a CISO as well as an attacker.