Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Sam Bocetta
Sam Bocetta

It's (Still) the Password, Stupid!

The best way to protect your identity in cyberspace is the simplest: Use a variety of strong passwords, and never, ever, use "123456" no matter how easy it is to type.

Stop me if you've heard this one before. Last year, billions of credentials were exposed due to thousands of data breaches. Many of the companies that were hacked didn't tell anyone until months after the fact, and the most common password exposed during these breaches was … 123456.

I know, right? Same old story.

At this point, I'd love to tell you that there was something new and exciting about these breaches. In some ways, there is: The poor security used by many large companies is under greater scrutiny than ever before. But in other ways, these exposures reinforce the importance of the advice that's been around for years: Choose a strong password and, where you can, don't use a password at all.

The most succinct summary of the scale of data breaches in 2018 comes courtesy of SpyCloud, a firm specializing in security analysis and anti-account takeover solutions. It reports that in 2018 it was able to recover 3.5 billion credentials from 2,882 breached sources and managed to decrypt 87% of the passwords contained in this data.

A deeper analysis reveals more troubling factors. One is that it's not clear that many of the "data breaches" reported in the press last year were data breaches at all. In some cases, companies merely released data that they had permission to release — for example, Facebook's controversial "research project," reported by TechCrunch, that involved releasing a data-mining app (subsequently blocked) to consumers that was intended for internal corporate use under Apple's licensing agreement. The second worrying issue is the ongoing prevalence of email scams, which still account for the vast majority of hacks for which a worrying number of people still fall.

And then we come to companies' responses to these breaches. MyFitnessPal, owned by Under Armour, unintentionally shared the credentials of at least 150 million users in a much-publicized hack, but one that only came to light weeks after it had happened. Quora, in a similar attack, had 100 million user names, passwords, and other data stolen.

Now, you might think that MyFitnessPal and Quora are hardly the most important accounts in your life, and that's true. Neither carries detailed financial information or personal photographs. The problem is that too many people use the same password for these apps as they do for all of their online accounts, and so a breach of even a "low-level" account can have huge consequences both in yielding access to other accounts and driving customers away from the affected company for good.

Password Hashing
It's also worth looking at how passwords and other information was extracted from the data stolen from Quora and MyFitnessPal.

The stolen data was encrypted, as well it should be. Instead of a plaintext password, the breached information contained hashes of passwords. These are codes generated from passwords by an encryption algorithm, and many companies (including these two, it turns out) think that this makes them secure.

It doesn't. Or, rather, it would if they were using quality algorithms. Unfortunately, the encryption scheme used by both companies — md5 and sha1, respectively — are now pretty easy for cybercriminals to overcome. There are even free pieces of software that will do this for them.

So, the companies involved in these hacks were certainly at blame, but only partially. A closer look at the data in the breaches also reveals that poor security practices on the part of users also made the hackers' job a lot easier.

Password Reuse
To see why that is, it's worth looking at the most common passwords that were exposed during these breaches.

Here they are: 123456 123456789 password qwerty 12345 qwerty123 1q2w3e 123123 111111 12345678 1234567 1234567890 abc123 anhyeuem iloveyou password1 123456789 123321 qwertyuiop 654321 123456 121212 asdasd 666666 zxcvbnm 987654321 112233 123456a 123123123 123qwe 11111111 aaaaaa qwe123 dragon 1234 1q2w3e4r5t reset zinch 25251325 monkey a123456 1qaz2wsx 1q2w3e4r 123654 159753 222222 asdfghjkl 147258369 999999 5201314 123abc qweqwe 456789 555555 7777777 qazwsx princess qwerty1 1111111 football j38ifUbn asdfgh 66bob 888888 163.com 147258 asd123 azerty sunshine 789456 3rJs1la7qE 159357 michael 789456123 88888888 1234qwer daniel Password abcd1234 myspace1 computer 987654321 shadow qqqqqq 1234561 killer superman pokemon 987654 master q1w2e3r4t5y6 baseball 777777 123456789a charlie 11223344 333333 soccer x4ivygA51F

It gets even worse when you realize that the kind of person who uses 123456 as a password is probably using this password for all of their online accounts.

And so the issue is not that someone gets access to a Quora account. It's that password reuse is still common practice despite the penetration of password management software into the mainstream, nearly all of which uses AES 256-bit encryption. The best advice, besides letting your computer do the managing for you, is to use a variety of strong passwords and never, ever, use 123456, no matter how easy it is to type.

Related Content:

Sam Bocetta is a freelance journalist specializing in US diplomacy and national security, with emphases on technology trends in cyber warfare, cyber defense, and cryptography. Previously, Sam was a defense contractor. He worked in close partnership with architects and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/12/2019 | 2:15:31 PM
Re: State Farm ran into the same problem
My password rules - unique and easy to remember, right?  Well all of us have hobbies, unique interests that we never forget.   

Let us say you like Model T fords - you have a ton of instant syntax years at your hand right now.  The T was introduced in year 1908

We can combine facts here with data to make very very good passwords.  How about: M0del_T*L908

You can follow up years to 1927, end of production.    These rules make for an endless and very good string of data to combine easy and not hard to forget.  Oh, then there is the Model A Ford too.    

My 2 cents.
User Rank: Apprentice
8/11/2019 | 7:04:50 AM
I visited I enjoyed your posts.
this is really amazing platform and nest news updates thanks for the nice sharing..
User Rank: Ninja
8/10/2019 | 4:51:32 PM
State Farm ran into the same problem

In a dark reading post, State Farm had a problem with users using passwords that they used before and the actors pulled information from breached sites to assess the already known login.

I mentioned that if we added 1 character, 1 upper and 1 lowercase letter, 1 number and incorporate in the mix MFA/2FA to the equation, we could increase the potential by:
  • (72 x 10)^14th power and add a 6digit code to the equation

I am with you, it is not rocket science, it is something we need to utilize on a regular basis.

Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).