The 25 worst passwords of 2019, and 8 tips for improving password security

The 25 worst passwords of 2019, and 8 tips for improving password security

Blacklist these 25 passwords now and use these tips to improve enterprise password security.

Credit: Dreamstime
Educate users on what makes a password safe A safe password doesn’t appear anywhere else in the public realm (such as in dictionaries), doesn’t appear anywhere in private (such as other accounts users have), and contains enough random characters that it would take an eternity to guess the password, even when using brute-force or rainbow table techniques, says Archer.

Regularly perform password audits Ideally, your organization should use an authentication system that allows for password audits, says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center (CyRC). “Look for things like password reuse across employees or use of common words or common words with simple character replacements. If you uncover a weak password, use the event as a learning opportunity for users.”

Don’t villainize mistakes Create an environment in which employees feel comfortable raising questions or concerns about security, especially if they suspect they may have slipped up, suggests 1Password’s Davey. “Don’t villainize people,” he says, because they may be afraid to tell you when they’ve made a mistake. “If you know about security issues as they arise, you can act quickly to address the initial threat and take steps to prevent it from happening in the future.”

Require users to generate passwords with all of the character types This includes upper- and lowercase letters, numbers and symbols, advises Shayne Sherman, CEO of online technology knowledgebase TechLoris. “Use an algorithm that compares passwords to users’ previous passwords to prevent incrementing.” 

The passwordless future is imminent — or is it?

In the near future, will concerns about weak and strong passwords become irrelevant, thanks to alternative forms of authentication such as biometric facial and fingerprint scans? Some cybersecurity experts don’t buy the passwordless dream. “I don’t think we’ll ever be completely free of passwords,” says Mackey of Synopsis CyRC. “Even when single sign-on or social media authentication paradigms are used, there remains a need to identify a user. While biometric solutions offer promise, such solutions are best employed as an additional factor in a multi-factor strategy.”

Biometric authentication has its drawbacks, adds Juniper Networks’ Global Security Strategy Director Laurence Pitt. “One drawback to biometrics is that they can be stolen just as easily as someone can steal your credit card,” he says. “Another drawback is that there are other environments in which these authentication methods just aren’t feasible. This can lead people to default on password-only authentication, which isn’t enough.”  

Internet of Things (IoT) devices add yet more complexity to the hope of a passwordless future, says Assaf Harel, chief scientist and co-founder at Karamba Security. “These devices usually come with easy-to-guess or search default passwords. So, they can become a playground for many botnets, such as Mirai, that look for a passive fleet of devices to serve their distributed denial of service campaigns. IoT devices require a fresh look into how to integrate multifactor authentication into single-purpose devices to make botnet recruitment efforts much more difficult.”

Yet, some experts predict we’re on our way to a passwordless future. “Change takes time, but I wouldn’t be surprised if we eventually live in a passwordless world,” says Peter Purcell, co-founder of EVAN360, a remote technology support platform. In the meantime, Purcell says security measures such as face and fingerprint scans, USB security keys and voice biometrics will increasingly give enterprises more advanced user authentication.

For example, Purcell points out that in 2017, Google began requiring all employees to use physical security keys in place of passwords and one-time codes. The company reported one year later that none of its employees had been successfully phished as a result.

Biometrics “will certainly free us from passwords and make authentication easier and more reliable,” adds McAfee CIO Scott Howitt. “In the past, the problem with biometrics, such as facial recognition, was the amount of computer horsepower needed to run systems like that. Today, these systems run in the cloud and are fast and efficient. The key is that biometrics must be easy to use as well as reliable. Users have to be able to trust that whatever biometrics they setup actually work to make their lives easier rather than more difficult.”

Ultimately, the transition to “truly passwordless authentication is going to be a journey,” says Jim Ducharme, RSA’s vice president of identity and fraud and risk intelligence products. “Today, all passwordless authentication is rooted and reliant on a password and username for account enrollment and recovery. While passwordless authentication such as face and fingerprint ID is common on many devices, accounts are still established with a password, and if your device is lost or stolen, the account is recovered using a password.”

To achieve a passwordless world, then, we need an approach that considers credential enrollment, recovery and ways for users to securely authenticate on devices that don’t support biometrics or Fast Identity Online (FIDO) capabilities.

“These new methods of authentication, combined with more secure enrollment and recovery mechanisms, and layered with risk-based authentication, are the keys to eliminating the use of passwords completely,” Ducharme says. “Or at least, they’ll allow us to dramatically reduce the complexity of a password to look more like a simple four-digit PIN.”

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.




Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments