New study: Passwords are still the weakest link

The latest review of security issues and trends is out, and we’re sorry to say, folks: The rampant use of weak passwords still presents a serious security problem to end users and companies alike.

The recently-published Trustwave 2012 Global Security Report details the current threats to user data and identifies the vulnerabilities that persist within organizations. The statistics were generated from their investigation of about 300 breaches across 18 countries. They also analyzed the usage and weakness trends of more than 2 million real-world passwords used within corporate information systems. The verdict? After an initial foothold in a system (via malware and other threat vectors), 80% of security incidents were due to the use of weak administrative passwords.

Yes, that’s correct: 80 percent. From weak passwords.

“The use of weak and/or default credentials continues to be one of the primary weaknesses exploited by attackers for internal propagation,” the report comments. “This is true for both large and small organizations, and largely due to poor administration.”

They found that writing down passwords is still prevalent in the workplace, particularly in organizations that implement complexity requirements, password expiration cycles, and password histories to prevent recycling of old passwords. While these policies are often implemented to improve password management, the reality is that increasing password complexity directly corresponds with a decrease in memorability, hence the insecure practice of writing down passwords. The report found that in 15% of the security tests performed, written passwords were found on or around user work stations.

What’s even more astonishing is that rather than find a tool that can help with the password problem, users are getting creative in overriding the policies meant to enforce the use of strong passwords. They exploit loopholes such as:

  • Setting usernames as the password when complexity requirements aren’t forced
  • Adding simple variations to fit complexity requirements, such as capitalizing a letter and adding an exclamation point to the end
  • Using dictionary words or applying simple modifications

Default and shared passwords are also a massive point of failure. Companies assign poor default passwords such as “changeme” and “welcome” but don’t later enforce an update of those defaults. Applications and devices that are shipped or installed by default on company systems also utilize default passwords that are rarely modified, a particularly dangerous situation for applications accessible from the Internet. The result: they found a proliferation of simple combinations such as “administrator:password”, “guest:guest”, and “admin:admin”.

In another alarming example, the report highlights Active Directory’s policy of password complexity, which states that a password is required to have a minimum of eight characters and three of the five character types (Lower Case, Upper Case, Numbers, Special, Unicode). Guess what meets those requirements? “Password1”, “Password2”, and “Password3”, the first being the most widely used across the pool of two million passwords studied in the report.

The top 10 passwords identified by the study were:

  1. Password1
  2. welcome
  3. password
  4. Welcome1
  5. welcome1
  6. Password2
  7. 123456
  8. Password01
  9. Password3
  10. P@ssw0rd

Variations of “password” made up about 5% of passwords and 1.3% used “welcome” in some form.

Other keywords included:

In some ways, we’re impressed by the creative effort people put into avoiding strong passwords while still operating within the “complexity requirements” imposed on them.

However, moving forward into 2012 and beyond, it’s clear there are steps both end users and businesses should be taking to change their password habits, prioritizing:

  • Education of employees on basic security practices
  • Tracking of company data and pinning it to an individual every time
  • Standardizing implementation across all platforms and devices

and, most importantly:

  • The implementation of a password management tool that makes it easy to maintain high security standards.

For as long as we force people to create their passwords and remember them, we’ll be stuck with bad passwords. Recognizing the prolific use of poor passwords is one thing – empowering people to act on these recommendations, in a way that doesn’t inconvenience them or tax their memory, is the true source of change. Only with password management solutions like LastPass and LastPass Enterprise will we enable people to follow best security practices.


The LastPass Team


  • Cheryl Free says:

    I frequently have to ask Twitter followers to update to secure passwords. Why? Because their accounts are hacked, and I get the blunt end of it with direct message spam.

  • Anonymous says:

    Here’s an idea. Combine lastpass with a USB key or a key tag like the banks.

    • Scott says:

      You may have hit on something there. We could thwart the hackers by doing this: Imagine developing a system that requires “TWO different activities to perform” in order to access one’s account online.
      The first, of course, would be to enter in your username and password, itself.
      The second (and this is the kicker!) would be to have a piece of software or a file–that is stored on a USB/flash drive, always in the user’s possession–which you must plug into the computer, and copy, temporarily, to the site; think of it as sort of like a disposable ‘cookie’.
      Without utilizing BOTH tasks, you cannot get in!

      Scott Gould

    • Anonymous says:

      Lastpass already offers several forms of two-factor authentication: LP Sesame, Yubikey, or Google Authenticator.

  • Oblivion says:

    Lastpass aside, of course, the use of strong passwords is inevitably going to increase “I forgot my password” calls to helpdesks and admins. I’ve been pushing (to little effect) the recent xkcd take on this… which of course is all very well but it’s too smart for most “techies”

  • Craig says:

    Interesting reading, and of course there are manual loophholes, like calling the helpdesk and asking for password resets without identity confirmation, just asking a user for their password…..

  • Wow, so many people just go with the simplest passwords…never would have thought