‘Bigbasket’, ‘12345’, and ‘12345678’ were among the most popular passwords in use in India from 2019 till 2021, according to a report by Nordpass, a password management solution from German cybersecurity company, Nord Security.
Researchers at Nordpass pointed out that whenever popular films and shows are released, people start using those names as their password. Examples are: Batman, Euphoria, and Encanto which were some of the most popular releases in 2021/ 2022. People used ‘batman’ 2,562,776 times, ‘euphoria’ 53,993 times, and ‘encanto’ 10,808 times, globally, as passwords.
While these would be easy to remember, it’s a terrible practice, as these are too easy to hack.
Karmesh Gupta, co-founder and CEO, WiJungle, a Haryana based cyber security company, said that people are well aware of the fact that keeping common passwords like 12345 or keeping their first name as the password or the last name as the password is like shutting their door without locking it.
"Eventually, you are allowing anyone to enter your space. These common passwords are there in the library of every hacker and while they are trying to enter your account, they will easily get the access. This has to be avoided," added Gupta.
Here are some cyber hygiene tips for properly using passwords.
Never Re-Use A Password: Passwords should ideally vary across different apps and websites. That said, most people struggle to remember passwords and hence use common passwords which are easy to remember. Not only that, they also tend to repeat passwords.
According to a cyber security report by Google, 75 per cent of all Americans struggled to remember their passwords, and at least 65 per cent people reused their passwords across multiple accounts and devices.
Antoine Korulski and Adi Goldshtein Harel, security researchers at Checkpoint, an Israeli cyber security company, wrote in a blogpost that “though most of the population understands the risk and knows that one should not reuse passwords, most of us continue reusing passwords for both corporate and personal accounts”.
Gupta said that people create a strong password but then tend to use it for all their accounts across all websites wheather it is banking, online education or related to their OTT platforms. Everywhere they use the same password. Hence If any of those websites gets compromised and the password reaches the dark web then instantly those hackers will use the same password for getting into all their accounts.
Password Managers Help, But To A Certain Extent: There are password managers, such as Google password manager, Intel true key, Microsoft authenticator, among others, which are popular with users.
Researchers at Checkpoint said that people use password managers as it helps them store their passwords, but these can be hacked.
In August 2022, LastPass, a password storage management solution was hacked for the second time, and the management of LastPass said that the bad actor had internal access to their systems for about four days.
Karim Toubba, CEO, LastPass, told Engadget that “they (hackers) were able to steal some of the password manager’s source code and technical information, but their access was limited to the service’s development environment, which wasn’t connected to customers’ data and encrypted vaults.
Think Twice Before Saving Passwords And Credentials On Websites: When people create a new account on any website or app, they often save the password or at least the login email address on the website as a default option.
Checkpoint researchers noted that as soon as cybercriminals understood that there is a big business potential, they “started focusing their efforts on hacking different websites and services that are not of great value by themselves, but are lucrative because of the user credentials they contain.”
The password storage guidelines of the National Institute of Standards and Technology (NIST) under Department of Commerce, the US, require that passwords be salted with at least 32 bits of data and simultaneously hashed with a one-way derivation key. But most websites don’t comply with this policy and store their users’ password in plain text, Checkpoint researchers noted.
In 2015, the Telecom Regulatory Authority of India (TRAI) exposed email addresses of over 1 million people who spoke in favour of Net Neutrality, and then the website of TRAI was also ‘allegedly’ hacked after this leak, according to various media sources.
