Are Weak Passwords the Biggest Threat to Data Security and Privacy?

People have gotten a little smarter about making passwords longer. But they continue to rely on passwords that can be easily broken, leading to data theft. That's according to the latest annual password study from SplashData.

Christopher Tozzi, Contributing Editor

January 27, 2016

2 Min Read
Are Weak Passwords the Biggest Threat to Data Security and Privacy?

People have gotten a little smarter about making passwords longer. But they continue to rely on passwords that can be easily broken, leading to data theft. That’s according to the latest annual password study from SplashData.

The report, “Worst Passwords of 2015,” is based on a review of more than two million passwords that were leaked in the last year, primarily from users in North America and Europe.

The report did not reveal a great deal of new trends in password creation. “123456” and “password” remained the most popular passwords, retaining their positions from last year.

SplashData reports, however, that users are now creating slightly longer passwords. “1234567890” and “qwertyuiop” debuted on the list of the top twenty-five most common passwords in this year’s report.

Of course, as SplashData notes, those passwords are simply slightly longer variations on the same theme of easily guessable passwords. They’re essentially no harder for an attacker to break than shorter passwords.

To implement truly secure passwords, the company encourages users to deploy password management software like the kind it sells. That’s one solution.

Barring that, users can at least create passwords that are sufficiently random not to appear on lists of words or other strings that attackers use to break passwords via what is usually called a dictionary attack.

The other way to break passwords is to rely on brute force. That means cycling through all possible combinations of characters until a password is found. That method only works well with passwords that are under about eight characters, however — so longer passwords cannot effectively be brute-forced.

Of course, the bigger question might be whether poor password practices on the part of users are still the greatest threat to data privacy. Many of the big breaches that have made headlines in recent years have involved attackers breaking into vast data caches on servers, not stealing individual account information by obtaining users’ passwords. We can blame lazy users for creating passwords like “password” — or we can force them to create longer, more secure passwords filled with random characters, which they are likely to forget — but that won’t solve today’s biggest data security challenges.

Read more about:

AgentsMSPsVARs/SIs

About the Author

Christopher Tozzi

Contributing Editor

Christopher Tozzi started covering the channel for The VAR Guy on a freelance basis in 2008, with an emphasis on open source, Linux, virtualization, SDN, containers, data storage and related topics. He also teaches history at a major university in Washington, D.C. He occasionally combines these interests by writing about the history of software. His book on this topic, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” is forthcoming with MIT Press.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like