It's (Still) the Password, Stupid!

The best way to protect your identity in cyberspace is the simplest: Use a variety of strong passwords, and never, ever, use "123456" no matter how easy it is to type.

Sam Bocetta, Security Analyst

August 9, 2019

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Stop me if you've heard this one before. Last year, billions of credentials were exposed due to thousands of data breaches. Many of the companies that were hacked didn't tell anyone until months after the fact, and the most common password exposed during these breaches was … 123456.

I know, right? Same old story.

At this point, I'd love to tell you that there was something new and exciting about these breaches. In some ways, there is: The poor security used by many large companies is under greater scrutiny than ever before. But in other ways, these exposures reinforce the importance of the advice that's been around for years: Choose a strong password and, where you can, don't use a password at all.

The most succinct summary of the scale of data breaches in 2018 comes courtesy of SpyCloud, a firm specializing in security analysis and anti-account takeover solutions. It reports that in 2018 it was able to recover 3.5 billion credentials from 2,882 breached sources and managed to decrypt 87% of the passwords contained in this data.

A deeper analysis reveals more troubling factors. One is that it's not clear that many of the "data breaches" reported in the press last year were data breaches at all. In some cases, companies merely released data that they had permission to release — for example, Facebook's controversial "research project," reported by TechCrunch, that involved releasing a data-mining app (subsequently blocked) to consumers that was intended for internal corporate use under Apple's licensing agreement. The second worrying issue is the ongoing prevalence of email scams, which still account for the vast majority of hacks for which a worrying number of people still fall.

And then we come to companies' responses to these breaches. MyFitnessPal, owned by Under Armour, unintentionally shared the credentials of at least 150 million users in a much-publicized hack, but one that only came to light weeks after it had happened. Quora, in a similar attack, had 100 million user names, passwords, and other data stolen.

Now, you might think that MyFitnessPal and Quora are hardly the most important accounts in your life, and that's true. Neither carries detailed financial information or personal photographs. The problem is that too many people use the same password for these apps as they do for all of their online accounts, and so a breach of even a "low-level" account can have huge consequences both in yielding access to other accounts and driving customers away from the affected company for good.

Password Hashing
It's also worth looking at how passwords and other information was extracted from the data stolen from Quora and MyFitnessPal.

The stolen data was encrypted, as well it should be. Instead of a plaintext password, the breached information contained hashes of passwords. These are codes generated from passwords by an encryption algorithm, and many companies (including these two, it turns out) think that this makes them secure.

It doesn't. Or, rather, it would if they were using quality algorithms. Unfortunately, the encryption scheme used by both companies — md5 and sha1, respectively — are now pretty easy for cybercriminals to overcome. There are even free pieces of software that will do this for them.

So, the companies involved in these hacks were certainly at blame, but only partially. A closer look at the data in the breaches also reveals that poor security practices on the part of users also made the hackers' job a lot easier.

Password Reuse
To see why that is, it's worth looking at the most common passwords that were exposed during these breaches.

Here they are: 123456 123456789 password qwerty 12345 qwerty123 1q2w3e 123123 111111 12345678 1234567 1234567890 abc123 anhyeuem iloveyou password1 123456789 123321 qwertyuiop 654321 123456 121212 asdasd 666666 zxcvbnm 987654321 112233 123456a 123123123 123qwe 11111111 aaaaaa qwe123 dragon 1234 1q2w3e4r5t reset zinch 25251325 monkey a123456 1qaz2wsx 1q2w3e4r 123654 159753 222222 asdfghjkl 147258369 999999 5201314 123abc qweqwe 456789 555555 7777777 qazwsx princess qwerty1 1111111 football j38ifUbn asdfgh 66bob 888888 163.com 147258 asd123 azerty sunshine 789456 3rJs1la7qE 159357 michael 789456123 88888888 1234qwer daniel Password abcd1234 myspace1 computer 987654321 shadow qqqqqq 1234561 killer superman pokemon 987654 master q1w2e3r4t5y6 baseball 777777 123456789a charlie 11223344 333333 soccer x4ivygA51F

It gets even worse when you realize that the kind of person who uses 123456 as a password is probably using this password for all of their online accounts.

And so the issue is not that someone gets access to a Quora account. It's that password reuse is still common practice despite the penetration of password management software into the mainstream, nearly all of which uses AES 256-bit encryption. The best advice, besides letting your computer do the managing for you, is to use a variety of strong passwords and never, ever, use 123456, no matter how easy it is to type.

Related Content:

About the Author

Sam Bocetta

Security Analyst

Sam Bocetta is a freelance journalist specializing in US diplomacy and national security, with emphases on technology trends in cyber warfare, cyber defense, and cryptography. Previously, Sam was a defense contractor. He worked in close partnership with architects and developers to identify mitigating controls for vulnerabilities identified across applications.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights