Skip to content
Naked Security Naked Security

Once again, it’s 123456: the password that says ‘I give up’

A new survey says 46% of users find security confusing, which helps explain how that old clunker keeps popping to the top of breach lists.

The essence of most people’s regard for cybersecurity: we’re DOOMED.

That’s one of the key takeaways from the UK’s National Cyber Security Centre (NCSC), which released the results of its first ever UK cyber survey on Sunday, along with a list of the most craptacular passwords found most often in breached databases.

The findings were released ahead of the NCSC’s CYBERUK 2019 conference in Glasgow this week.

Some of those doomy gloomy findings: 70% of the 1,350 Brits surveyed between November 2018 and January 2019 believe they’re going to be cyber-pounced on sometime in the next two years, and it will put on some hurt, aka a “big personal impact.”

Many people – 37% – think that getting mugged online for money or personal details is inevitable these days. Losing money is the biggest concern, with 42% feeling it’s likely to happen by 2021. That’s not keeping them from buying stuff online, though: 89% are using the internet to make online purchases, and 39% say they do so on a weekly basis.

Although 80% said that cybersecurity is a “high priority,” that doesn’t mean that the doomed plan to do anything about it. In fact, some of the groups most likely to say it’s a priority are the least likely to take protective action. For example, older people – those aged 55-64 – are the likeliest to say it’s a high priority, and 16-24 year-olds are least likely to prioritize it. However, the youngsters are more likely to say they’re capable when it comes to cybersecurity, and they’re more likely to flip the switch on some protection.

Protective action like, say, these things, which these numbers of people are likely to do “always”:

  • Use password/passcode/PIN to unlock smartphones or tablets: 70%
  • Use a strong and separate password for main email account: 55%
  • Install the latest software and app updates once you notice that they are available: 46%
  • Check emails, texts or social media messages, including those from known contacts, to see whether they are genuine: 35%
  • Turn on and use two-factor authentication (2FA) for your main email account: 25%
  • Report any phishing emails by hitting the ‘Spam’ or ‘Report phishing’ button: 21%
  • Save passwords using a password manager on smartphone or tablet: 14%

Those and other security behaviors cited in the survey are typically more prevalent among 16-54 year olds, with drop off among those aged 55+. Besides being young, being well-heeled also helps, with affluent people reporting better security hygiene. The survey noted that regardless of age, there are also variations due to levels of internet usage and device ownership.

We can surmise that, as we’ve heard before, much of the turnoff comes from confusion. Almost half – 46% – of the people surveyed said that instructions about staying safe online are confusing.

Is “Confusion” a dEc3ntPassw0rd?

For years, “This is too hard!” has been the reason cited for why people use easy-to-remember passwords such as anniversaries, or their pets’ names, or, of course, one of the picks from the rogues’ gallery of the most frequently spotted passwords that turn up in breached databases.

The NCSC, in collaboration with Have I Been Pwned’s Troy Hunt, released a file containing his data set’s top 100,000 most commonly reoccurring breached passwords. You can download the full file here. If you spot any of your own passwords on that list, it’s imperative that you change it – whatever account(s) it’s supposed to be protecting are sitting ducks.

In that list, “123456” once again showed up at the tippity top, being found in use 23.2m times. While there’s nothing that whispers “I give up” quite as fervently as that one, No. 2 comes close: it was “123456789,” being found 7.7m times.

Also making their many, predictable appearances were these gnarly, old, easily guessables:

  • qwerty (3.8m)
  • password (3.6m)
  • 1111111 (3.1m)

Then too, there are names used as passwords: “ashley” took the cake as the most popular, appearing 432,276 times in breached databases. Liverpool won when it came to the most frequently found Premier League football team names, while blink182 won it for musician names. “Superman” showed up as the most common fictional character name.

These are all weak passwords, but you don’t have to use ones like this. Best practice is to combine upper/lowercase letters with digits and punctuation/special characters – make them as long and complex as possible.

And, of course, one password isn’t enough. You need to have a different password for each online account you have.

Nobody expects you to remember a grocery list worth of complicated passwords, and that’s why we believe in using password managers to create them and/or to store them all and fill them in.

Are those hard to use? Well, they’re more involved than “ashley,” but not beyond the grasp of most people – particularly if they fear getting victimized by cybercrime, which is a very wise thing to worry about.

9 Comments

Funny. I have the same combination on my luggage,

What does it say that 32 years of technological evolution after that movie came out and that joke is still relevant because it’s still true?

At what point do we put the responsibility on site owners to make their system not allow these passwords anymore?

Excellent point. Most systems these days do have minimum password requirements that prevent you from using something as simple as 123456, why not have an internet standard that every site or system is required to use? That way users will have a consistent expectation of what is required for a password.

On a side note I was recently appalled when the reason a website wasn’t accepting my new password was that it was too long… …can a password ever be too long?

If you’re a website accepting passwords, I think you can set a limit to stop overload and possible DDoSes, given that you have to hash the data that’s sent over.

Allowing a 10,000,000-character password doesn’t seem terribly useful, so I think imposing a limit is reasonable, as long as it’s generous, for example 1024 characters.

You could probably make a case for cutting off passwords at 256 or even 128 characters if you really wanted…

…but 16 characters? 12? 10, even, which I’ve heard of recently? In an era of password managers? What’s that all about?

There’s something unappealing about pasting in the output of, say dd if=/dev/urandom bs=24 count=1 | base64 - and being told it’s “too long” (or, just as bad, that it’s “not secure” because it happened to come out without a punctuation character in it), and then putting in Password99! and being told you’re a Clever Chap because you had at least one each of lower, upper, digit and punctuation.

> it’s 123456: the password that says ‘I give up’

But… these are the same people using Chrome, working on Windows, pretending to be protected by Apple and chatting endlessly on Facebook. They already know that their information is being shared with unnamed countless 3rd-parties, their data collected, their voices recorded and saved, their Faces ID’d…

A strong password is like putting a lock on the front door when the side of the building has collapsed. The strongest password in the world doesn’t mean a thing if a company like Facebook leaves it exposed in clear text. Is there a single major site that hasn’t been “hacked”. The entire system is a cesspool – starting from the very top.

I wonder how many folks get personally hacked one at a time vs data breaches at any number of multi million user hacks that have occurred. Frankly, I think knowing my password(s) gets you bupkiss. If you stole my username and password stored in the clear on some asshat website no matter how complex it is, they screwed it up. Best thing is to burn my computer and dig up that coffee can in the yard. Bank of Folgers don’t ya know.

This URL
https://www.ncsc.gov.uk/static-assets/documents/PwnedPasswordTop100k.txt

Is no longer available, does anyone know if it’s still available at a different link?

Wayback Machine has it :-) [Well, it did at 2020-02-24T19:00Z. The first snapshot taken in 2020 captured the “sorry, not found” page but when I went back to the 2019 snapshots it was there.]

web.archive.org if you haven’t used it before.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?