Easy-to-guess passwords still in common use: Trustwave

Security vendor finds people are still using simple passwords such as “password1” online

Fifty per cent of users, including employees, are still using simple passwords that can be easily guessed, according to Trustwave’s global security report.

It claims “password1” is the most common choice for users.

As for why this is the case, Trustwave managing consultant, Marc Bown, said it comes down to education.

“Everyone in IT security has talked about education about passwords,” he said.

“However, the feedback has been that even if someone is told to have a good password a hundred times, they still won’t do it.”

The problem is that only telling people to have a good password is not enough.

“They have to be told why they need to have a good password, because most users don’t understand,” Bown said.

The majority of users do not think passwords are a “big deal” and do not look at the “big picture to make a risk assessment” on how important their password is.

Thus, Bown said the key is to educate them on why they need a good password, as well as how to get one.

“Most people complain about changing their password and not being able to remember it, because it needs to be a stupid combination of numbers and letters,” he said.

“What we know as an industry is that it doesn’t need to be a stupid combination of numbers and letters, as that does not really slow down an attacker much.”

Instead, it is really about the length of the password, so Bown said the most important thing a user can do is to pick a longer password.

“Teaching users how to pick a longer password and how to remember it, such as a sentence, is a thing that we can do,” he said.

Another thing that has become relevant with passwords in the last year is password re-use.

With the proliferation of online services, Bown said most users will use the same password everywhere, such as their login for work, for blogs or social networks.

“As more and more sites become compromised, there are massive username and password lists that are sourced from those compromises and available on the Internet,” he said.

For that reason, Bown said it is important for people not to use the same passwords on services that could become compromised, thereby disclosing their password.

“People are looking at those password lists and using them to crack into other services to target individuals,” he said.

Other key findings in the report included an average of 210 days taking from the time of a security compromise to the time of detection.

“It’s a really long time and an attacker can do a lot in that period, because they’re not being detected,” Bown said.

Mobile menace

When it came to mobile malware, Trustwave’s report found that there was a 400 per cent increase last year, in particularly on Android.

Bown attributes this number to being “about economics.”

“The attackers do this stuff for a reason, whether it is financially motivated or for an ideological reason,” he said.

On a finance front, as long as they are making money out of this, the cyber criminals will come up with methods to compromise things.

“While there may be controls in place to prevent malware, so long as those are making money out of this, and they are, they’ll continue to do it and look for new ways,” Bown said.

So far, most of the malware Trustwave has seen on Android is SMS stealing or sending malware.

“They put an app up that looks legitimate and they will get people to download it,” Bown said.

“In the background the app will send SMS’ to premium rate numbers operated by the person who did the app.”

While Bown admits these types of activities are “not especially advanced,” he adds that the safeguards in place are “fairly rudimentary.”

“In the last 18 months, Google Play has had some controls that attempted to detect malware within applications uploaded to the marketplace, but there are a large number of third party marketplaces within the Android ecosystem,” he said.

Bown adds that it is mainly in the third party app stores where malware is being found.

Patrick Budmar covers consumer and enterprise technology breaking news for IDG Communications. Follow Patrick on Twitter at @patrick_budmar.

Join the CSO newsletter!

Error: Please check your email address.

Tags trustwaveAndroidmalware

More about GoogleIDGIDG CommunicationsIDG CommunicationsIDG CommunicationsTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Patrick Budmar

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts