Hundreds of thousands of devices are hacked due to the use of insecure default passwords.

DDoS source codes like Mirai scan the internet, searching for these poorly-protected devices, upon which they flood them with various forms of attack, resulting in anything from stolen information to device manipulation and sabotage of operations.

Earlier this year, security firm Keeper conducted a study of 10 million passwords that became public through data breaches that occurred in 2016. As a result, the 25 most common passwords have been revealed:

  1. 123456
  2. 123456789
  3. qwerty
  4. 12345678
  5. 111111
  6. 1234567890
  7. 1234567
  8. password
  9. 123123
  10. 987654321
  11. qwertyuiop
  12. mynoob
  13. 123321
  14. 666666
  15. 18atcskd2w
  16. 7777777
  17. 1q2w3e4r
  18. 654321
  19. 555555
  20. 3rjs1la7qe
  21. google
  22. 1q2w3e4r5t
  23. 123qwe
  24. zxcvbnm
  25. 1q2w3e

The most common passwords specifically targeted are much the same if not worse, with devices being protected by passwords such as “admin”, “user” and even no password at all.

According to Keeper, the list of the most common passwords has changed little over the past few years, despite increased user education. In regard to IoT devices, this suggests that the onus must be on the developer to ensure users are automatically prompted to set a password when setting up the device, disenabling the use of default passwords. The developer should also implement controls that enforce minimum length and complexity requirements, multifactor authentication and other security measures.

This need for controls dictating minimum length and complexity requirements is reinforced by the fact that four of the top 10 passwords and seven of the top 15 are six characters or less. According to Keeper, these passwords can be unscrambled in seconds.

Furthermore, passwords such as “1q2w3e4r” and “123qwe” are examples of sequential key variations, which some users may adopt thinking they are safer than passwords such as “qwerty” or “12345”. However, dictionary-based password crackers know to look for sequential key variations and will not be fooled.

Some general rules for creating a secure password:

  • Create a password that is at least 8 characters, with a mixture of letters (upper and lower case), numbers and other characters
  • Do not use common phrases or words found in a dictionary
  • Do not use composition rules (eg. device name + year or user + factory name)
  • Do not keep passwords in text files, spreadsheets or other unprotected documents

Another interesting article on this topic can be found at: https://pixelprivacy.com/resources/reusing-passwords/   Thanks Bill