Posted by David Hald / 19 December 2016
Given that passwords are on the front line of defence in the security of corporates and individuals, it’s mind boggling how elementary some people’s passwords are. Some recent research by LeakedSource, delved into the frequency of use of LinkedIn’s 10 most pathetic passwords. Topping the list is “123456” with an incredible 753,305 LinkedIn users, using this most perfunctory of passwords.
Trailing in second place with a mere 172, 523 users was “LinkedIn,” with “password” a close third with a score of 144,458. To be honest, none of the passwords in the top ten would give your average hacker a sleepless night, with gems like “qwerty,” “111111,” and “sunshine,” being used by tens of thousands of LinkedIn members. And it’s not just LinkedIn. It’s the same scenario for anything online you need a password for and that doesn’t rule out corporate networks.
Why are you only as good as your weakest password?
Whereas it’s true that most corporates have slightly more stringent authentication procedures in place, many still rely on passwords. And for those that do, their security defences are only as good as the employee with the weakest password. So for all those unprotected corporates out there, in the same way that over three quarters of a million LinkedIn users have “12345” as their password, hundreds of workers at one organization might well have the same.
Over 60% of hacks involve weak or stolen passwords…
So given that passwords are really the weak link, it’s little wonder that two thirds of cyber attacks on corporate networks involve weak or stolen passwords. Hackers know that if a corporation relies solely on passwords for securing remote or cloud access, it shouldn’t take them that long to gain entry. Many employees have business cards, containing email addresses, which are most people’s user names. From there, it’s just a matter of patience on behalf of the hacker to conduct a dictionary attack or just perform a simple phishing attack and gain unfettered access to company systems.
Two factor doesn’t cut it – why you need MFA…
And even if corporates do have two-factor authentication in place, token-based authentication is susceptible to being hacked using the simple phishing.
The lesson is that you certainly can’t rely on passwords. And you can’t really rely on traditional two-factor authentication either. Multi factor authentication (MFA) is now the way forward for any IT or security professional worth their salt. Modern MFA uses a number of variables to verify users, from IP addresses and geographical location, to time of day and session-IDs etc. As hackers get more persistent, you have to get more vigilant. It’s as simple as “12345.”