'Password' and '12345' Among Most Common Passwords of 2011
Modernizing Authentication — What It Takes to Transform Secure Access
The 25 most popular passwords in 2011 include such gems as "password" and "123456," according to an analysis of various lists and databases dumped online by hackers this year.
Internet users were selecting common names, numeric sequences and keyboard layouts as their passwords online, according to the 2011 Worst Passwords of the Year list released Nov. 21 by password management company SplashData. Common passwords included "qwerty," "letmein," "monkey" and "qazwsx."
Combining letters and numbers is a good tactic for selecting strong passwords, but not when it's "abc123," "passw0rd" or "trustno1." Attackers can easily brute-force their way into accounts by repeatedly trying common passwords, said Morgan Slain, CEO of SplashData. While some sites lock out users after too many incorrect attempts, some, such as Amazon, don t, giving attackers all the time they need.
The Morto worm, which made the rounds in August, attacked Windows servers via the Remote Desktop Protocol by trying a list of 30 common passwords for the Windows Administrator account. Some of the passwords on Morto's list, such as "letmein," "123123" and "111111" were also on SplashData's list.
There is a strong overlap with previous analysis of the data stolen and dumped from Gawker Media in 2010. Even with the number of organizations compromised this year and users receiving notifications letters recommending they change their passwords to something much stronger, it doesn't seem the message is getting through. This is why some security experts are recommending a drastic step: eliminating passwords.
From the perspective of users, there are too many IDs and passwords, and the number of places they need to log in will continue to grow, according to Patrick Harding, CTO of Ping Identity. "Everyone wants to reduce the number of times you have to type in a password," Harding told eWEEK.
Harding advocates using a third-party authentication service, such as using Google credentials to log into non-Google sites or using Facebook Connect from the social networking giant. Enterprises can even extend their existing Active Directory deployments to cover other applications. The idea is to implement "secure federation policies," whether it's based on Security Assertion Markup Language (SAML), OpenID or some other standard, to handle authentication across multiple sites, according to Harding.
There are two parts to the "password problem," where users are using weak passwords and reusing them across multiple Websites and services. The goal is to reduce the number of places that require authentication, and then enforce strong rules on the areas where login is required, Harding said. It's much more manageable and cost-effective to apply advanced capabilities such as phone-based or token-based authentication technologies to a handful of entry points than for every application, service and device, according to Harding. "What you end up enabling is single sign-on," Harding said.