SINGAPORE – It is 2021 and the No. 1 password used globally is still “123456”, one of most commonly used passwords in the past 10 years. But there are indications that, at least in Singapore, things could be improving.
An analysis of 15.2 billion passwords by cyber-security news site CyberNews from publicly leaked data breaches over many years and updated earlier this month, found that “123456” was the most common password from leaked data.
The No. 2 password was three characters longer – “123456789” – while No. 3 was “qwerty”, which is the first row of letters on many keyboards. Fourth was “password”, while No. 5 was “12345”.
This might all sound very familiar – and not only because some of us are guilty of it. Password management firm SplashData found that in 2011, the most common password was “password”, followed by “123456”, “12345678”, “qwerty” and “abc123” in that order. The list was similarly based on passwords leaked online.
CyberNews’ analysis included passwords from old data leaks, including what is believed to be from the 2012 theft of 117 million LinkedIn usernames and passwords, reported only in 2016.
It also used a collection of passwords from 87GB of leaked data compiled by a hacker who told cyber-security journalist Brian Krebs in 2019 that the package was at least two to three years old then.
Other cyber-security experts also suggested that some of the top passwords CyberNews ranked are commonly used even today.
“Weak passwords like ‘12345’ or ‘password’ are often used as the default passwords that come with software and hardware on the market,” said Mr Ryan Flores, senior manager for forward-looking threat research at cyber security firm Trend Micro.
Problems arise when users do not change these easy-to-crack passwords. Using the Password Checker educational tool on the Cyber Security Agency of Singapore’s website, “12345”, “123456” and “password” could be cracked by hackers in under a second.
Mr Flores also contended that when manufacturers use weak passwords by default, it suggests to users that passwords do not need to be complex and secure.
The CyberNews findings also suggest that people are creatures of habit. Many people do not learn from news of password leaks, said Mr Kevin Reed, chief information security officer at cyber-protection firm Acronis.
Besides being easy to remember, the top passwords in the list are also easy to type, which matters to a lot of people, said Mr Reed, who added that people also assume their accounts will never be hacked.
Mr Reed said it is more dangerous to use weak passwords now than 10 years ago because computing performance has grown dramatically over the years.
Hackers use software to run lists of stolen usernames and passwords against various online accounts to try and access them – a move called a brute-force attack.
A hundred weak passwords can easily be tested on an online account in a split second.
And with many people working from home due to Covid-19, Trend Micro also found that in the first half of last year, nearly 9 in 10 breaches globally of user accounts for remote access services was through brute-force attacks.
But there is a bright spot.
Mr Flores said Singapore generally fared better than the rest of the world in terms of password security.
This is indicated by the number of compromised routers and Internet connected devices that have been hacked using leaked passwords, or cracking common or default passwords. Such hacked devices can be used by crooks to launch more attacks on others online.
Last year, Singapore had 64 instances of “malicious outbound traffic” per device – lower than the global average of 66.6.
Mr Flores said possible reasons for this include education efforts by the Government, or measures by telcos to provide devices with a more secure set up.
Beefing up account security includes password alternatives like using a person’s face or fingerprint to unlock accounts, or using a security token for two-factor authentication. Mr Reed said for a small country like Singapore, it could be a few more years for this to become mainstream but larger countries could take decades.
Using a token means that even if a weak password is used, the token is still needed to unlock an account.
“It’s a physical device… and very easy (to figure out) that you don’t have it anymore, unlike passwords, which could be stolen and you may never know about it,” he said.