UK’s National Cyber Security Centre Releases Top 100k Most-Used Passwords

We at Ghost Security Group™ deal with Islamic State hackers attempting to breach web sites on a daily basis, either to push their propaganda through simple website defacing (replacing the site’s displayed content ) or more serious attempts to acquire data through easily accessible databases. While we generally don’t consider the majority of their work to be that dangerous at the moment – it’s more for show and intimidation – every attack they execute successfully gives them more clout within their community. Additionally, if they are lucky enough to score a strike against what appears to be a high value target, the news and media coverage of the attack is a huge win for them and causes great concern among those less intimate with their techniques and skill set.

The UK’s National Cyber Security Centre (NCSC) has released a list of the top 100k most-used passwords curated from leaked database breaches. Seeing the list curated all in one place and sorted by commonality shines a light on just how negligent we as a society really are when it comes to protecting ourselves online. Seeing 123456 at the top of the list as the most commonly used password on the planet is extremely disappointing. We may as well stop using passwords altogether and just let anyone have access to our web sites, cameras, databases, bank accounts, mobile devices, cars, … you name it.

In an age where personal information is stolen and posted online by the millions on a weekly basis, how is it we as a society still have such poor password security? We don’t want to be inconvenienced with multiple complex passwords and yet we cower in fear when ISIS hacks our web sites or posts kill lists of our law enforcement or military personnel. We use the same simple password to protect all of our personal information in multiple locations and yet we expect our credit card companies to protect us when our data is compromised and unauthorized purchases are made on our cards.

While it is really up to us as individuals to decide how secure we want our passwords to be, companies that require passwords on their devices and in their applications have not only the capability but the obligation to force users to create complex passwords and force them to change them on a regularly scheduled basis. Why would your bank allow you to use a 6-digit password any more? Why wouldn’t a credit card company keep a password dictionary and a list like this Top 100k most used passwords and check your new password against it to ensure you are physically unable to use these as your sole protection?

Terrorist hackers aren’t just out there trying to deface web sites any more. That’s cute and fun but there are some with much higher ambitions: SCADA systems, electrical grids, financial markets. Some have stated publicly to their followers that jihad doesn’t have to be a war of physical violence and that causing the financial ruin of nation states is a huge part of their battle against the “disbelievers”.

If these attackers focus their energy (and some currently are) on more serious breaches and attacks – and are successful – global financial markets can collapse and entire cities can be wiped out for extended periods of time. This type of warfare doesn’t require money or weapons. Seeing how elementary password security is across this planet, all it will take to score a direct hit is time, patience and persistence.

For now, it is imperative that we start taking our password security more seriously. This weekend, take an hour or two and start getting smart with your passwords instead of binge watching the latest television series. Start making new and challenging passwords for everything you use: social media, banking, forums, utilities, memberships, shopping sites, etc.

Follow the commonly suggested rules:

• use both upper-case and lower-case letters
• include one or more numerical digits
• include special characters, such as @, #, $
• no words found in a password blacklist
• no words found in the user’s personal information (name, birth city, etc)
• no use of company name or an abbreviation
• no passwords that match the format of calendar dates, license plate numbers, telephone numbers, or other common numbers
• no reuse of passwords on multiple sites

Additionally, use a password manager application to generate extremely challenging passwords and to save them in an encrypted format on your devices. This will keep you from having to memorize difficult passwords and allow you to use an unlimited number of passwords in your daily life. KeePass is a great one and works on all platforms.

Stay safe out there!


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.