By GREGORY ZELLER //
Better rethink that password, personal or commercial computer user: Chances are, you’re not fooling anyone.
California-based digital password expert SplashData has released its annual list of the Internet’s worst passwords – the most commonly used and, therefore, most hackable secret codes, providing the least-effective defense of personal and professional data.
As has been the case every year since SplashData started publishing its annual lists five years ago, “123456” is the web’s worst, while “password” is the second-most used secret code.
Newcomers to SplashData’s top 10 include “12345,” up 17 spots from its 2015 berth to finish third on this list, and “baseball,” “football” and “dragon,” all of which made SplashData debuts this year.
Other fairly sucky passwords: “qwerty,” “111111,” “trustno1” and SplashData-list newbies “superman” and “batman.” New at No. 22: “696969.”
SplashData compiled its list based on “3.3 million leaked passwords” it learned in 2015, the company said in a statement. That means, if you see your password on the lazy list – “monkey” and “abc123” made it, too – you’re putting your data at terrible risk, according to Dean Weich, managing director of Tools4Ever’s Lynbrook office.
Based in the Netherlands, Tools4Ever is a global provider of identity and access-management solutions and related security programs. Among its wares are various programs designed specifically to strengthen corporate password protocols – a critical need, Weich noted, for businesses of any size with proprietary data to protect.
“The risk is the same, whatever kind of business you’re in,” Weich told Innovate LI. “The only difference is how many accounts somebody can hack into.”
The passwords on the SplashData list – along with other common selections, such as the user’s name or the names of family members and pets – are “easily guessable,” added Weich, who directs New York operations for the Baarn-based firm.
“If somebody wants to hack in, they’ll look at the most common passwords people use and try them first,” he said.
When called in to help clients overcome password-related security issues, Weich usually starts with some basic advice: Users, especially employees with access to sensitive corporate data, should be required to change their passwords every month, and forbidden from writing passwords and other login identifiers on Post-Its attached to their computer monitors.
Users are also encouraged to follow Microsoft’s “complexity rules” regarding passwords, which require numerals, case sensitivity and other variations differentiating the secret codes from straight-up, easily cracked choices like “shadow” (No. 19 on SplashData’s 2016 list).
Beyond that, Tools4Ever – which is usually summoned to right the ship after a password-related security breach – offers a number of proprietary products designed to keep customers a step ahead of password hackers.
The Password Complexity Manager, for instance, allows users to create customizable lists of words that can’t be used for network passwords and also prevents “incrementing,” Weich said, noting the common practice of changing from “Password1” to “Password2,” and so on, each month.
Tools4Ever also manufactures a “password reset product” that allows an end-user – Johnson from Accounting, for instance – to reset his own password without troubling the IT department. The product works much like password-reset protocols on banking and other customer-service websites, with a series of personalized questions granting user access.
This week, Tools4Ever also launched the newest version of its single sign-on application, HelloID. Like earlier versions, the software keeps multiple user credentials – including ID/password combos for various personal and professional websites and programs – locked in an encrypted database accessible through a single login. The new HelloID also introduces a new web portal feature that allows users to access secured applications on a private network through their portable devices.
Tools4Ever is already developing the next version, which according to Weich will incorporate biometrics – fingerprint recognition will be used to access the web portal. The company, which boasts dozens of programmers and developers in its Netherlands headquarters, aims to upgrade its software packages every three months, he added, based largely on customer feedback.
So if all goes according to plan, the next version of HelloID should hit virtual shelves by the end of the second quarter – a rapid pace, the managing director noted, but an essential one to keep customers ahead of hackers who just aren’t thrown by passwords like “master” or “letmein.”
As for his own password, Weich was understandably tightlipped – though he did note he’s a big fan of those complexity rules.
“My password is about 17 characters,” he said. “It makes use of special characters, has uppercase and lowercase letters and numbers, and I change it every 30 days.”