Weak Security Prevails With 12345 Among Most Common Passwords for 2011

The 25 most popular passwords in 2011 include such gems as "password" and "123456," according to an analysis of various lists and databases dumped online by hackers this year.

Internet users were selecting common names, numeric sequences and keyboard layouts as their passwords online, according to the 2011 Worst Passwords of the Year list released Nov. 21 by password management company SplashData. Common passwords included "qwerty," "letmein," "monkey" and "qazwsx."

Combining letters and numbers is a good tactic for selecting strong passwords, but not when it's "abc123," "passw0rd" or "trustno1." Attackers can easily brute-force their way into accounts by repeatedly trying common passwords, said Morgan Slain, CEO of SplashData. While some sites lock out users after too many incorrect attempts, some, such as Amazon, don't, giving attackers all the time they need.

The Morto worm, which made the rounds in August, attacked Windows servers via the Remote Desktop Protocol by trying a list of 30 common passwords for the Windows Administrator account. Some of the passwords on Morto's list, such as "letmein," "123123" and "111111" were also on SplashData's list.

There is a strong overlap with previous analysis of the data stolen and dumped from Gawker Media in 2010. Even with the number of organizations compromised this year and users receiving notifications letters recommending they change their passwords to something much stronger, it doesn't seem the message is getting through. This is why some security experts are recommending a drastic step: eliminating passwords.

From the perspective of users, there are too many IDs and passwords, and the number of places they need to log in will continue to grow, according to Patrick Harding, CTO of Ping Identity. "Everyone wants to reduce the number of times you have to type in a password," Harding told eWEEK.

Harding advocates using a third-party authentication service, such as using Google credentials to log into non-Google sites or using Facebook Connect from the social networking giant. Enterprises can even extend their existing Active Directory deployments to cover other applications. The idea is to implement "secure federation policies," whether it's based on Security Assertion Markup Language (SAML), OpenID or some other standard, to handle authentication across multiple sites, according to Harding.

There are two parts to the "password problem," where users are using weak passwords and reusing them across multiple Websites and services. The goal is to reduce the number of places that require authentication, and then enforce strong rules on the areas where login is required, Harding said. It's much more manageable and cost-effective to apply advanced capabilities such as phone-based or token-based authentication technologies to a handful of entry points than for every application, service and device, according to Harding. "What you end up enabling is single sign-on," Harding said.

Several companies are releasing services with the same mindset. Okta, a start-up that came out of stealth mode this year, provides single sign-on for cloud applications. Enterprise users log in to the Okta platform and have access to multiple cloud services, including Salesforce.com, Google Docs and even Twitter. Symantec also rolled out the early access program for its Symantec O3 cloud security service at the Vision conference in Barcelona in October. O3 creates a single "control point" for cloud applications and systems and allows employees to use the same identity and security profile across all systems.

Harding said the White House's National Strategy for Trusted Identities in Cyber-space, unveiled earlier this year, is "in line" with his secure access vision. Instead of relying on passwords to access a myriad of services, there is a trusted broker that takes on the role for multiple sites. The service provider can adopt the appropriate technologies to properly secure authentication, freeing up individual sites from having to act as a security broker.

There are a lot of misconceptions surrounding NSTIC, but once people realize what it's about, there will be more support for the strategy, according to Harding.