1234567 still the top password?!

By Mary Beth Borgwing on June 12, 2014

The data never lies!  At lunch during the Cyber Security Summit in Washington DC, a technology and legal expert with lots of years in the public/private cyber sector told me just how many people globally use the 1234567 password in 2013 compared to 2012, and the number has increased a lot. You would’ve hoped the data lied!

I questioned how companies could allowed employees to use such passwords. It should be a crime!

Are you one of them?

We all know with threat intelligence and biometric technology coming fast, passwords are on their way out but in the meantime they are one line of defense, along with encryption keys and many others, that are relied upon globally as a security measure. The data  shared with me during that lunch gives us a snapshot into the understanding and sophistication of the average workers’ understanding of cyber security prevention measures.

The old saying “it can’t happen to me,” or at my company, is still very prevalent even though IT departments go to great lengths to make you change your password at least every 6 months depending on standard operating procedures.

Every week I talk to companies with some type of data on cyber. There is big data, fragmented data and incomplete data – but there are a lot of entities with cyber data.  There are market leaders like TrustWave, Verizon, McAfee, Symantec, Carnegie Mellon, SEI, SRI, RSA and many others who gather data on events and breaches that happen to individuals, enterprises, and governments as well as on incidents and total breaches that involve many parties at the same time. Most capture at least one type of data but not the whole picture–some have Personal Identifiable Data, Fines and Penalties, incidents and events. Not the mention, very company has a breach incident example or war story.

The US government has a data depository on cyber breaches – not fully available, but US taxpayers paid for it. You can be sure other government entities have the same.

So what about a giant repository where you can anonymously call in a data breach and fill out an event data form without giving away your private information – like you do when you report an event to the FTC? Sort of like a tip hotline?

I think Verizon and TrustWave are really leading the charge at publishing data anonymously with a whole host of contributors. Guess they both figured out that sharing is caring – hats off to both Verizon and Trustwave for leading the way on making incident reporting a publicly acceptable practice.

We hope they can shame the 1234567 crowd into changing their passwords in 2015.

mbborgwing@cyberrisknetwork.com'

Mary Beth is President of the Cyber and Risk Practice at Advisen. Mary Beth, a senior risk, insurance, and finance executive speaks and writes frequently on cyber risk management. Contact Mary Beth at [email protected].