Fixing the password problem is as easy as 123456

The most-used password globally is exactly what you think it is: ‘123456.’ That’s according to NordPass’s latest annual report on passwords exposed in data breaches globally. Other all-too-predictable choices, such as ‘123456789’, ‘12345678’, ‘12345’ and ‘admin’, also prove to have staying power year after year.

My first instinct is to dismiss this as scaremongering fodder, especially given that poor password hygiene was also part of a community engagement session I presented at the recent RSAC conference, Let's Rant: 4 Things That Need to Change in Cybersecurity.

But since today is World Password Day, I had to put this to the test: Can I still find a reasonably mainstream website that allows me to create an account using ‘123456’ as the password? Unfortunately, the answer is yes.

There are popular sites, such as ‘evite’, that still allow this exact six-digit string to be used as a password. You may dismiss it as just an e-invite service, until you realize that you’re sharing personal data on your invitations and potentially manage the responses of all your invitees through an account that is not secure. The shocking part of this very crude test is the finding that Evite was subject to a data breach in 2019 that affected the personal information of over 100 million people. The company should probably know better than to allow its users to have such weak passwords.

The situation isn’t drastically better on even more popular services. When I attempted to create a new account on Facebook, the platform did mandate an additional level of password complexity. But still, a string as simple as ‘1234567!’ turned out to be a permitted password. X offered a similar experience.

Now, Facebook, for example, does offer some advice, such as: “avoid using common words such as ‘password’’ and “If your password isn’t strong enough, mix uppercase and lowercase letters. Make it more complex by using a longer phrase or series of words that you can remember but others won’t know.” Yet, it permits ‘1234567!’ to be used, no letters, just a sequential pattern with a simple exclamation mark at the end, all easily guessable, especially by automated scripts that test accounts en masse for commonly used patterns and strings.

Meanwhile, Collins Dictionary, which is home to far less sensitive content, forced me to create an eight-character password containing at least three of the following – lower case (a-z), upper case (A-Z), numbers (i.e. 0-9) and special characters (e.g. !@#$%^&*).

NordPass’s data suggests that there are many more sites that set limited password policies and allow trivial passwords like ‘123456’. However, I think there may also be elements of legacy in the method used to calculate the most common passwords. For example, if a company has existed for 10 years and never deleted any dormant user accounts, then a breach would include outdated dormant account information, some of which may be from before any password policy was enforced. The motivation behind publishing headline-snatching data is also clear: the vendors that create the news story are set to potentially benefit as they provide password management software for a subscription.

Breaking the cycle

Now, how do we resolve this never-ending loop of negativity about passwords, along with the ridiculous situation that platforms still permit non-secure passwords?

I do not support the idea of legislators needing to mollycoddle citizens, but in this instance I think it’s time for lawmakers to step up to the mark and put a stop to the pattern of companies not implementing stringent authentication policies and allowing consumers to take the easy option. There is widespread privacy legislation stating that companies need to secure our personal data if they store it, using appropriate reasonable cybersecurity measures. A core part of these measures is the use of strong, complex passwords and multi-factor authentication (MFA), as required by any self-respecting cybersecurity framework. Yet, in many instances there are no cybersecurity requirements on authentication for customer-facing services.

On the other hand, some industries have been forced to update to modern authentication methods. In the finance industry, for example, there are several regulations, such as the Payment Services Directive 2 (PSD2), that mandate MFA for electronic payments and access to payment accounts online.

Legislation should extend to all industries: simply enforce MFA for all accounts created online regardless of the service being accessed, ditch the outdated use of passwords, and move to more appropriate security for today’s internet.

The potential hurdle to mandating this approach is the barrier to entry for people creating accounts. Companies reliant on advertising or the collection (and sale) of personal data for revenue will lobby significantly against the move, and companies with big budgets will be very demanding that nothing steps in the way of profit, especially something like securing customer accounts by requiring a complex password and/or MFA.

For most of my 30-plus-year career in the cybersecurity industry, the issue of weak passwords has been a staple message pushed out every day, at many events, and on a specially nominated day. There is a simple and effective way to resolve it: mandate complex passwords or, better yet, MFA. Can we please stop the conversation about ‘weak passwords’, once and for all?