splashdata ebook for worst passwords on 2015
TRANSCRIPT
WORSTPASSWORDS:What We Have Learned From Five Years Of StudyingTHE INTERNET’S MOST COMMONLY USED PASSWORDS
TABLE OF CONTENTS
Introduction 2
Password Security Trends 3
Lessons Learned in the Last Five Years 5
At-‐‑‒Risk Groups 6
Password Protection Tools 10
Tips and Best Practices 12
Conclusion 20
2
Introduction
Three seconds. That is how often an individualʼ’s password is hijacked or stolen. When you finish reading this
booklet, more than 500 passwords would have been breached! And the number keeps growing.
For several years now, there has been a raging war between companies, individuals and hackers – and
millions of people are caught in the crossfire. Whenever an organization – even a government entity – is
hacked, all users have to change their passwords, security questions and responses, and a host of other data-‐‑‒
security elements.
SplashData has been compiling and analyzing password breaches since 2011, looking into trends and sources,
but most importantly, the types of weak passwords that pop up repeatedly among the worldʼ’s worst
passwords. The annual “Worst Passwords List” has received accolades from industry experts and media
personalities, and been cited on top media outlets as varied as The Today Show, The Wall Street Journal, CBS
Radio and The New York Times.
This booklet reveals what SplashData analysts have learned in the last five years in terms of password
security, password typology, at-‐‑‒risk groups, password-‐‑‒protection tools, and tips and best practices.
3
Password Security Trends
Organizations, from web hosting companies to corporate end users, have implemented various techniques to
prevent or stop data breaches. As technology gets more sophisticated, and cloud becoming a key part of the
data-‐‑‒storage model, more organizations are taking advantage of solutions like SplashDataʼ’s TeamsID
password manager.
• U.S. companies continue to suffer from data breaches, losing $37 billion in 2015 – Sony incurred a staggering
$171 million expense related to its data breach.
• It costs, on average, $300 per employee to reset a password in an organization, according to CloudWave.
• Numerical passwords continue to be among the top list of vulnerable passwords (more in the next section)
• One third of people use the same password when visiting multiple websites, while 10% use the same password
for all sites registered in.
• Stolen PIN numbers on credit cards cost $500 million in 2015.
• PayPal remains the most password-‐‑‒phished website, with over 13,000 spoofed websites.
• Password theft across multiple platforms is on the rise, with tablets and smart phones leading the rank of worst
protected devices.
• A hacker can crack the average password in just three minutes or less, through brute force or a dictionary
attack.
4
Lessons Learned in the Last Five Years
Over the last five years, SplashData has studied the millions of exposed passwords on the Internet as well as
mitigating techniques companies and individuals have used. Many people and organizations donʼ’t think much
about passwords, but passwords remain vitally important in Internet security. SplashData has advised
organizations and users to fix the problem at the source – before the hacking occurs. From password
sophistication to frequent password change, SplashDataʼ’s SplashID and TeamsID tools assist users in
securing passwords and making them less vulnerable to hacker activity.
Here are lessons we have learned from five years of studying the Internetʼ’s most commonly used passwords.
• Top worst passwords were (in descending order): password, 123456, 12345678, qwerty and abc123• Users were complacent in choosing easily guessable passwords, and they were lazy in changing their passwords,
doing so very infrequently, and they used the same passwords over and over again on different sites
• A large percentage of users had the same passwords for multiple sites, including financial ones like banks and
credit card companies
• Several hacking incidents affected large U.S. companies, including banks and retail stores
• Companies started investing more into cloud-‐‑‒based data encryption
2011
5
• Top worst passwords were (in descending order): password, 123456, 12345678, abc123 and
qwerty
• New entries to the list included welcome, Jesus, ninja, mustang and password
• High-‐‑‒profile password-‐‑‒hacking incidents at major sites, including Yahoo, LinkedIn and eHarmony
• People still used weak, easily guessable passwords
• Cloud providers started strengthening network security and password-‐‑‒encryption tools
2012
6
• Top worst passwords were (in descending order): 12345, password, 12345678, qwerty and abc123
• Adobeʼ’s security breach provided analytical fodder for password-‐‑‒security analysts
• People still used weak, easily guessable passwords
• More numerical combinations were used
• U.S. Government started deploying a more robust password-‐‑‒management and data-‐‑‒protection policy
after several hacking incidents threatened federal online platforms
2013
7
• Top worst passwords were (in descending order): 123456, password, 12345, 12345678 and qwerty
• The report demonstrated the importance of keeping names, simple numeric patterns, sports and swear
words out of passwords
• More than 3.3 million leaked passwords were analyzed during the year
• 123456 and password continued to hold the top two spots that they have held each year since the
first list in 2011
• Top worst passwords were (in descending order): 123456, password, 12345678, qwerty and
12345.
• Sports remain a popular password theme. While baseball may be Americaʼ’s pastime, football has
overtaken it as a popular password.
• The 2015 report was compiled from more than 2 million leaked passwords
• As in past yearsʼ’ lists, simple numerical passwords remain common, with six of the top 10 passwords
on the 2015 list comprised of numbers only.
• U.S. businesses continued to invest significant amounts in cloud security, data encryption and password
management
2014
2015
8
9
At-‐‑‒Risk Groups
In this Internet era, people commonly have dozens passwords, often hundreds. From banking sites to online
email, from social media to fantasy sports, from an alumni site to a family reunion forum, people have to
manage credentials for myriad accounts across the Web as they go about their online activity. Some groups
seem to be at a greater risk when it comes to password vulnerability, according to research conducted by WP
Engine.
The most vulnerable groups are:
• People ages 60 and over
• Women ages 30 to 45
• Teenagers
• Busy professionals, such as CEOs and politicians
• Users logging into their accounts through more than 2 devices
SplashData research also reveals that sports fans were a particularly exposed category, or at least people who
use sports related passwords. Sports was the most common theme found in password research – including
sports names, team names athlete names, mascots, and more.
10
Here are the Worst Sports Passwords, as compiled by SplashData:
11
Overall, chances of having passwords stolen and data compromised are higher than ever. Industry groups
have responded to the threat with a host of measures ranging from fingerprint scanning to password
encryption in secured vaults. However, these measures are creating further vulnerabilities, as they introduce
new techniques and applications that users must understand and utilize – a process that is not always easy
for individuals already saturated with several passwords and security questions/answers they must memorize.
In this context, password-‐‑‒management tools remain a simple, technologically nimble tool to mitigate the
threat of password theft and data breach in the near future.
Password Protection Tools
Several companies provide password-‐‑‒protection tools, ranging from the simple to the sophisticated. In five
years of studying the Internetʼ’s most commonly used passwords, SplashData has found that the best
password-‐‑‒management applications offer the following:
• Native, secure applications
for smartphone, tablet and
desktop platforms
• Strong encryption
• Synchronization, ideally with
a choice of cloud or local
WiFi services
• Automated backup
• Categorization/Sharing
• Auto-‐‑‒fill feature
• Password importation
• Password generator
• Secure notes
• Multifactor authentication
12
Tips and Best Practices
Nothing is 100% guaranteed in life or on the Internet – but SplashData has compiled throughout the years
best practices and security measures for passwords that can help prevent or reduce risk from exposure.
Here are our tips for creating more secure passwords that are easy to recall:
• Avoid using the same username/password combination for multiple websites. Especially risky is using the same
password for entertainment sites that you do for online email, social networking, or financial service sites. Use
different passwords for each new website or service for which you sign up.
• Use passwords of 12 characters or more with mixed types of characters. One way to create longer, more secure
passwords that are easy to remember is to use short words with spaces or other characters separating them. For
example, “eat cake at 8!” or “car_̲park_̲city?”
• Never use a favorite sport, birthday (especially just birth year), or personʼ’s name as a password.
• Limit the number of devices though which you access websites. Not all platforms have strong responsive
security, and you might be vulnerable to password theft when logging into your account through your smart
phone, even though the platformʼ’s desktop and laptop configurations are secure.
13
Conclusion
In an era in which most of our personal information – and corporate data – lives in the cloud, password-‐‑‒
protected, we need defenses beyond standard antivirus software. Our five years of studying the most
commonly used passwords have taught us that using a password manager is a significant step in reducing the
risks of a data breach.
Many solutions are available on the market, from the straightforward to the sophisticated, from the cloud-‐‑‒
based to the platform-‐‑‒based. As we enter a more technologically fragile Web age, companies, individuals and
government agencies will need to use a combination of tools to protect data.
14
About SplashData
SplashData has been a leading provider of security applications and services for over 15 years. SplashID, the
company's secure password and record management solution, has over 1 million individual users worldwide,
and TeamsID, the companyʼ’s business password manager, enables organizations of all sizes to secure
sensitive records. Since 2011, SplashData has been releasing its annual list of “Worst Passwords” in an effort
to encourage the adoption of stronger passwords.
SplashData was founded in 2000 and is based in Los Gatos, CA.
15