Passwords, P4ssw0rd5, 12345

Further to last week’s revelation that a team of enthusiast cryptographers (CynoSure Prime) had published details of how to decrypt the Ashley Madison password database and had themselves decrypted 11.7 Million of them at the time, we now know what the top 100 passwords are!

Here is the top 10:

123456                                  120,511 users

12345                                    48,452

downloadpassword                             39,448

DEFAULT                            34,275

123456789                           26,620

qwerty                                  20,778

12345678                             14,172

abc123                                 10,869

pussy                                   10,686

1234567                                9468

Excluding the 10,686 cat enthusiasts, we are either looking at a vast quantity of systematically registered users (blondes who are ‘right up for it’ for instance, registered by contractors paid by AM themselves), or a legion of intellectually challenged individuals.

(The full, fun-filled list can be found here).

Perhaps the truth lies somewhere between the two?

This week we have been looking at cloud and enterprise data breaches in order to put some security guidelines for public cloud deployment together for our customers, and the more we look, the more we find weak passwords and the ability to test them programmatically without detection as a major contributor to breaches in the last twelve months.

AM themselves were using one of the hilarious passwords in the list above, and then there was the Apple celebrity thing (TOTW passim), Starbucks, even the Password site LastPass. The list is endless.

So if you or your people won’t take our word for it, perhaps you might take the word of none other than GCHQ, which has produced an absolutely fantastic guide to authentication, which can be found here.

We strongly urge you to download this very thorough document, which shows that The Government is waking up to the value of data breaches to the nation and are providing resources to educate the people, great stuff.

Just in case there isn’t a pussy’s chance in hell that you will download the document (perish the thought), here is an annotated summary of the GCHQ tips:

1: Change all default passwords (and not to DEFAULT, please)

2: Help users cope with password overload (single sign on, use of tokens, certificates etc.)

3: Understand the limitations of user generated passwords (especially Cat fans)

4: Understand the limitations of machine generated passwords (unmemorable)

5: Prioritise administrator and remote user accounts (protect your crown jewels more than your garden gnomes)

6: Use lockout and protective monitoring (watch out for brute force, enforce rigorous barring, alert on activity)

7: Don’t store passwords as plain text (we would say don’t store passwords in a form that they can be decrypted easily, use two factor authentication)

If you would like to talk to us about authentication, authorization or protecting your Crown Jewels, please contact us at: [email protected] or call 020 7517 3900.

We will be holding a Cyber Security event in early 2016, which will be covering these, and many more issues, watch this space for registration details.