Stealing passwords...? It's easy as 123

Despite all the reports of Internet security breaches, identity theft and hacked bank accounts, people are still using easy-to-guess passwords for nearly all their online activity.

That's the conclusion from two recent studies that looked at passwords in general and banking passwords in particular.

At the end of last year, a hacker was able to gain access to 32 million passwords held by software company RockYou. The list was briefly posted on the web and security researchers were able to take a detailed look at the most popular choices.

According to Imperva, a company which makes blocking software, the most popular password – used by almost 1% of the entire sample – was "123456". The second most popular? "12345". Others in the top 20 included "654321", "abc123", "iloveyou" and "password".

Perhaps more disturbing was the fact that about 20 per cent of the sample picked from the same, relatively small pool of 5,000 passwords. This means that hackers could use automated programs to break into millions of accounts in a very small period of time, leaving security officers no time to react.

Although the security breach at RockYou was far from trivial – they make software for Facebook and MySpace among others – it would have been much worse if a financial institution was involved.

Here, you would expect individuals to take far more care over their choice of password. Not so, says the results of another study, this time by security firm Trusteer. They found that 73% of individuals used their online banking passwords across multiple sites, making it easy for criminals to hack into less secure sites and then go after the banks.

This backs up an earlier survey from analyst firm Gartner, which found that two-thirds of consumers use the same one or two passwords across all web sites they visit.

Avivah Litan, who directed the Gartner study, suggests that the sheer number of web sites requiring passwords is taking its toll. "[Consumers] are making a choice of convenience over security," she said. "They are using a cost-benefit equation …they don't want to try and remember 10 different passwords for everything they do."

Although banks have added other layers of security, like tagging computer equipment and monitoring user characteristics, they are not the only ones storing sensitive information these days. Even a hacked Facebook account can cause huge problems for the victim.

Security experts recognize the problems with choosing unique passwords for dozens of web sites, ATMs, cell phones and other gadgets but they still stress the importance of variety.

Amit Klein, chief technology officer of Trusteer, recommends maintaining at least three "families" of passwords: One for critical financial sites, a second for sites that store personal information, and a third for generic log-ins.

Thank you for submitting your comment. Your comment will appear on the site after it has been reviewed by site moderators!
Post a Comment:
Comments (max 500 characters):

Permalink | Print | Email

Share this article!