‘Lazy’ IT admins told off over password security
Website operators and IT administrators have been taunted to step in on passwords, amid evidence that a significant chunk of users still safeguard accounts with the likes of ‘1234.’
Calling out IT admins as either “lazy” or “reckless” if they fail to require six characters or more, Keeper Security said it was “perplexed” why such techies flout password best-practice.
The security firm was speaking after it found 17% of people’s passwords as ‘1234’ or similar, according to an analysis it ran of 10million passwords exposed in recent data breaches.
The firm reflected: “The list of most-frequently used passwords has changed little over the past few years…[so] user education has limits.
“While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT admins and website operators must do the job for them.”
Some of the passwords on the list used unpredictable patterns like ‘1q2w3e4r,’but a greater proportion (four of the 10 top passwords) emerged as having six characters or fewer.
“This is stunning”, Keeper Security said. “Brute-force cracking software and hardware can unscramble those passwords in seconds. Website operators that permit such flimsy protection are either reckless or lazy.”
But speaking after a recent leak of passwords by a social media giant, Equifax said a combination of advancements in hacking, but no advancements in human nature, meant users would always be on the back foot.
“As hackers crack more and more passwords, their algorithms improve and the speed in which they breach accounts increases; instead of taking weeks or months to crack 1% of passwords, it can now only take a few days to breach 90% of passwords.”
“[And] one of the major issues is that there are only so many unique passwords that humans can cope with. It is near impossible to remember multiple passwords using combinations of letters and symbols such as 5Ge8**233!!$.”
The consumer credit company’s fraud prevention unit has also said that people have begun re-using other people’s character combinations because very few entirely new passwords can be created.
“It's difficult to determine what will actually stop this cycle,” it said. “One possible answer may be for companies to introduce a second layer of authentication processing, such as device recognition, to help build the necessary barriers to keep data safe.”
But Keeper Security believes that IT admins just need to take some simple steps to provide businesses -- and their users -- the minimum level of protection.
The firm said: “We can criticise all we want about the chronic failure of users to employ strong passwords. After all, it’s in the user’s best interests to do so.
“But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn’t hard to do, but the list makes it clear that many still don’t bother.”
The criticism comes after the building society Nationwide, which uses fingerprint and voice technology, predicted that most people will no longer be using passwords and pins by 2025.