Password Data Security in Business
Password data security is still the number one way employees authenticate themselves into company computers and networks. The problem is not that password data security is weak, but is how people manage all their passwords. As new security statistics regarding passwords are discovered, we will post them here.
- IT Departments create very secure password data security policies that employees circumvent for convenience. – Gartner
- Phishing, spear phishing, pharming and keyloggers are the most common web attack to determine passwords.
- 97% of computers, networks, web sites and secure data files use passwords to authenticate users.
- The need for passwords to be both easy to remember and difficult to guess poses what we all know as
the password problem. – Bruce Schneier, chief technology officer of BT Counterpane
- Hackers typically try to break into a computer or secure account by attacking passwords.
- Complex, long passwords protected against brute force attacks, but not Phishing, pharming and keyloggers.
- Passwords are secure. The insecurity comes from how people manage their passwords and protecting
networks from malware and viruses.
- IT cannot identity a data breach if a legitimate user name and password is used.
- Having the user’s name or email address as an account’s User Name weaken network security by 50%.
Statistics on Password Data Security
- 30% – 40% of IT’s help desk calls are for resetting forgotten passwords.
- 66% of computer users use one to two passwords on all their websites. – Troy Hunt, security researcher
- The most widely used passwords are “password”, “password1” and “12345”.
- A four character password takes a computer a few seconds to break, whereas a ten character (upper, lower,
and numbers) password takes the same computer approx 26,984 years.
- In the recent Sony PlayStation attack 50% of the passwords were one character long, 1:100 used
non-alphanumeric passwords. – Troy Hunt, security researcher
- Number of crimeware-spreading Web sites infecting PCs with password-stealing crimeware reached
31,173 in December, 2009. – APWG
- Password security policies recommend:
● Min. password length: 8-characters
● Password complexity: Upper case, lower case, numeric and special characters
● Password change frequency: 3 months
● Re-use password on other sites: Never
● Password structure: Random
All good advice but very difficult to enforce as employees write down passwords on Post-it notes.
- Xato has an interesting article “Most Top Worst Passwords” in June 2011. Here are some of his key points:
- The list of the 10,000 most common passwords represents 99.8% of all user passwords.
- 4.7% of users have the password password;
- 8.5% have the passwords password or 123456;
- 9.8% have the passwords password, 123456 or 12345678;
- 14% have a password from the top 10 passwords
- 40% have a password from the top 100 passwords
- 79% have a password from the top 500 passwords
- 91% have a password from the top 1000 passwords