Out-Law News 2 min. read
12 Mar 2009, 7:59 am
The company advises using different passwords for all sensitive accounts to thwart hackers, but 33% of people use the same password all the time. It found that 48% of the 676 survey respondents used a few different passwords.
The situation is at least a small improvement on three years ago when 41% of those asked by Sophos said they had just one single password for all sites and accounts. There is still a long way to go, though, said the company.
"It's worrying that in three years very few computer users seem to have woken up to the risks of using weak passwords and the same ones for every site they visit," said Graham Cluley, senior technology consultant at Sophos.
Cluley said that the dangers of single-password usage were growing as people's online behaviour changed and as they signed up for an increasing number of online services.
"With social networking and other internet accounts now even more popular, there's plenty on offer for hackers and by using the same password to access Facebook, Amazon and your online bank account, you're making it much easier for [fraudsters]," he said. "Once one password has been compromised, it's only a matter of time before the fraudsters will be able to gain access to your other accounts and steal information for financial gain."
There is evidence that users' security is being compromised not just by the number of passwords they choose but by what they choose to be those passwords.
Security consultant Robert Graham of Errata Security last month analysed the 20,000 user passwords that were published when website phpbb.com was hacked. The site has no constraints on how complex or simple passwords can be and Graham found that users were choosing passwords that made their accounts very easy to hack, such as 'dictionary words', i.e. ordinary words.
"I ran the phpbb passwords through various dictionary files and come up with a 65% match (for a simple English dictionary) and 94% (for ‘hacker’ dictionaries)," Graham explained in a blog post. "The dictionary words were overwhelmingly simple ones, like 'apple' or 'orange,' rather than complex words like 'pomegranate.'"
Graham found that 16% of passwords matched a person's first name. "This includes people choosing their own first names or those of their spouses or children. The most popular first names were Joshua, Thomas, Michael, and Charlie," he said.
Joshua was the most popular name, and Graham said that that may be because it is the password used in 1980s hacking film Wargames. Phpbb.com is a bulletin board system, so the site is likely to be used by computer programmers.
The other very large category of passwords was patterns on a keyboard, such as '1234' or ‘qwerty’.
Sophos said that users should not pick dictionary words because hackers can just run electronic dictionaries through systems to find passwords.
"It's easy to understand why computer users pick dictionary words as they're much easier to remember," said Cluley. "A good trick is to pick a sentence and just use the first letter of every word to make up your password. To make it even stronger, you can replace words like 'for' for the number 4, and this should give you peace of mind that your password won't be guessed."