Stealing passwords...? It's easy as 123
Despite all the reports of Internet security breaches, identity
theft and hacked bank accounts, people are still using easy-to-guess
passwords for nearly all their online activity.
That's the conclusion from two recent studies that looked at passwords in general and banking passwords in particular.
the end of last year, a hacker was able to gain access to 32 million
passwords held by software company RockYou. The list was briefly posted
on the web and security researchers were able to take a detailed look
at the most popular choices.
According to Imperva, a company
which makes blocking software, the most popular password used by
almost 1% of the entire sample was "123456". The second most popular?
"12345". Others in the top 20 included "654321", "abc123", "iloveyou"
more disturbing was the fact that about 20 per cent of the sample
picked from the same, relatively small pool of 5,000 passwords. This
means that hackers could use automated programs to break into millions
of accounts in a very small period of time, leaving security officers
no time to react.
Although the security breach at RockYou was
far from trivial they make software for Facebook and MySpace among
others it would have been much worse if a financial institution was
Here, you would expect individuals to take far more
care over their choice of password. Not so, says the results of another
study, this time by security firm Trusteer. They found that 73% of
individuals used their online banking passwords across multiple sites,
making it easy for criminals to hack into less secure sites and then go
after the banks.
This backs up an earlier survey from analyst
firm Gartner, which found that two-thirds of consumers use the same one
or two passwords across all web sites they visit.
who directed the Gartner study, suggests that the sheer number of web
sites requiring passwords is taking its toll. "[Consumers] are making a
choice of convenience over security," she said. "They are using a
they don't want to try and remember 10 different
passwords for everything they do."
Although banks have added
other layers of security, like tagging computer equipment and
monitoring user characteristics, they are not the only ones storing
sensitive information these days. Even a hacked Facebook account can
cause huge problems for the victim.
Security experts recognize
the problems with choosing unique passwords for dozens of web sites,
ATMs, cell phones and other gadgets but they still stress the
importance of variety.
Amit Klein, chief technology officer of
Trusteer, recommends maintaining at least three "families" of
passwords: One for critical financial sites, a second for sites that
store personal information, and a third for generic log-ins.