CSC is encouraging people to use three random words for passwords rather than the names of their pets
April 2021 by Ed Williams, Director of Trustwave SpiderLabs EMEA
This morning NCSC have released research which looks at how millions of British people are using their pet’s name as their online password, despite it being an easy target for hackers, a survey has found. The National Cyber Security Centre (NCSC) said 15% of the population used pets’ names, 14% use a family member’s name, and 13% pick a notable date. And 6% of people are still using "password" as all - or a part - of their password. Therefore, ahead of National Pet Day, the NCSC is encouraging people to use three random words for passwords rather than the names of their pets. The comment from Ed Williams, Director of Trustwave SpiderLabs EMEA:
Unfortunately, the recent statistics around password usage from the NCSC does not come as a surprise. We often see a lack of password complexity, guessable and brute-forceable passwords when testing environments.
While there are a number of technical controls that can be used to attempt to mitigate the selection of weak or guessable passwords these, from our experience, do not solve the underlying problem of password selection.
We’ve seen first-hand users selecting passwords based on known words and then attempting to randomise the password with capitalisation, number and special character substitution (e.g., P@ssword1**).
Where we’ve seen organisations succeed is around a combination of technical controls and user education. Through appropriate education users should be made aware of how malicious threat actors are able to, firstly profile staff through social media, and then secondly, look to abuse that information to gain access to resources through password brute forcing, guessing or credential stuffing.
The NCSC does give some sound, high level advice on password management. I would take this advice one step further and suggest users use password managers for their passwords, there are many good solutions available that aren’t difficult to set-up nor are they too technical.