Users who work with sensitive company information are told time and time again by IT: Choose a secure password to protect that data. But what’s the password most often employed by business users?
That’s from a recent study conducted by IT security firm Trustwave. As part of its Global Security Report for 2012, a comprehensive study of IT security issues, Trustwave analyzed more than 2.5 million passwords culled from clients’ Windows Active Directory servers.
The reason for that password’s popularity, according to Trustwave: It’s the easiest way to satisfy the default Microsoft Active Directory complexity requirements — it’s long enough, and uses a capital letter and a number.
Other variations on that theme are also popular. These were the 10 passwords Trustwave found most often on business machines:
Most of those would also satisfy Active Directory’s complexity rules, which require a password to contain:
- At least six characters, and
- Three out of the five character types (lowercase letters, capital letters, numbers, non-alphanumeric characters, and Unicode characters).
It’s easy to fault the user for failing to choose a secure password, but as Trustwave points out, IT pros also need to be aware that those default complexity requirements can be met by a password that’s not really complex at all. Too many IT departments rely on those requirements to make sure a user chooses a secure password, according to the report.
These are some additional steps IT can take to improve password security:
1. Set a good example
IT departments often set a bad precedent by giving new users weak passwords when they start working, such as “welcome” or “changeme.” Often, those passwords are never changed — as shown by all the variations on “welcome” found in Trustwave’s list — and if they are, they still send a bad message about what kinds of passwords are acceptable.
According to Trustwave’s report, IT pros could also do a much better job of setting the passwords for their own department, too. At the client sites surveyed, many applications still used default credentials, including 28% of Apache Tomcat installations, 10% of JBoss installations, 9% of phpMyAdmin installations, and 2% of Cisco devices with an accessible administrative interface.
2. Create and enforce more strict password policies
As Trustwave points out, increasing passwords’ minimum length is one of the best ways to make them more difficult to crack. For example, increasing a password’s length from six to eight characters gives it 9,000 times as many possible combinations.
For passwords that must be changed regularly, IT can also consider a rule regulating how different the new password must be. Users aren’t creative when thinking of new passwords, Trustwave says. At many client companies, when users were forced to make a change, they simply modified their old password by adding the current month or year to the end.
3. Help users remember their passwords
A common problem many companies run into: When users do create complex passwords, they eliminate those security gains by keeping the hard-to-remember codes written down. Passwords were found written down by users during 15% of on-site security audits Trustwave performed for clients in 2011.
One common method for crafting a memorable, yet secure password: Think of a simple phrase, but replace some letters with other characters — for example use “@” for “a,” “3″ for “E,” and “!” for “I.”
Read our other tips for creating secure, memorable passwords and share them with users.
4. Train users to manage passwords securely
It’s not enough to just choose a secure password — there are a number of ways passwords can be obtained by hackers no matter how complex they are.
That bad habit of writing passwords down can result in password theft, and users can also fall victim to social engineering attacks or have their machines loaded with keystroke logging software. IT departments should train users to avoid those issues, as well as take steps to eliminate technical vulnerabilities that threaten password security.
Do you have any other advice for improving password security? Share your ideas in the comments section below.