Security Awareness Training Blog

Keeping You Informed. Keeping You Aware.

"123456" Remains Most Common Password Found in Data Dumps in 2017

For the second year in a row, "123456" remained the top password among the millions of cleartext passwords exposed online thanks to data breach incidents at various providers.

While having "123456" as your password is quite bad, the other terms found on a list of  Top 100 Worst Passwords of 2017 are just as distressing and regretful.

Some of these include an extensive collection of sports terms (football, baseball, soccer, hockey, Lakers, jordan23, golfer, Rangers, Yankees), car brands (Mercedes, Corvette, Ferrari, Harley), and various expressions (iloveyou, letmein, whatever, blahblah).

77% of the FTSE 100 Have Compromised Credentials - What is your Stolen-password percentage?

IT security vendor Anomali, released a new report showing the volume of stolen credentials of FTSE 100 employees tripled In 2017, and a whopping 77% of the FTSE 100 were exposed with an average of 218 usernames and password stolen, published or sold per company.

In most cases the loss of credentials occurred on third party, non-work websites where employees reuse corporate credentials.

In May 2017, more than 560 million login credentials were found on an anonymous online database, including roughly 243.6 million unique email addresses and passwords.

The report shows that a significant number of credentials linked to FTSE 100 organizations were still left compromised over the three months following the discovery.

What is your Stolen-password percentage?

Stolen Passwords Of FTSE 100 Employees Tripled In 2017

The Financial Times Stock Exchange 100 share index is an average of share prices in the 100 largest, most actively traded companies on the London Stock Exchange.

IT security vendor Anomali, released a new report that identifies major security trends threatening the FTSE 100. The volume of credential exposures has dramatically increased to 16,583 from April to July 2017, compared to 5,275 last year’s analysis.

A whopping 77% of the FTSE 100 were exposed, with an average of 218 usernames and password stolen, published or sold per company.

In most cases the loss of credentials occurred on third party, non-work websites where employees reuse corporate credentials.

Thirty Percent of CEO Email Passwords Compromised in Breaches: Study


SecurityWeek reported about an interesting F-Secure study showing thirty percent of CEOs from the world's largest organizations have had their company email address and password stolen from a breached service.

F-Secure researchers checked the email addresses of 200 CEOs from the world's largest organizations against a database of leaked credentials. It notes that the 30% figure increases to 63% for tech companies. Yikes.

Given the continuing tendency for users to use simple passwords and reuse the same passwords across multiple accounts, the implication is that at least some of these CEOs are at risk of losing their email accounts to cyber criminals or foreign nation state hacking groups.

Average Employee Manages Nearly 200 Passwords? Nah, That Is A Myth

In the last week, the cyber security press breathlessly reported that the average employee manages nearly 200 passwords. Really?

Their source is the Password Exposé report, based on aggregated and anonymized data from over 30,000 LastPass customers. This report found that other industry reports often estimate the number of credentials used and put the figure closer to an average of 27 passwords per employee.

Lastpass claimed that employees use an average of 191 passwords to enter 154 times in a given month, racking up an estimated 36 minutes of password data entry during that time.

Well... not so fast!

Enigma Hacked Before ICO Date -- CEO Had Not Changed A Compromised Password

Wherever there’s a lot of money to be made cyber thieves are not far behind. Think sharks surrounding a bait ball.

Enigma is a financial data marketplace founded by a team from MIT which is set to launch its Initial Coin Offering (ICO) on September 11, 2017. It has a community of 9,000 users who joined its mailing list, social accounts, and their Slack tool to keep up with its offering and stay up to date after the ICO.

Survey of 2600 IT Pros: "Password Procedures Still Are A Cyber Security Fail"


After the NIST passwords bombshell, we surveyed 2,600 IT professionals to find out how they were managing passwords. The answers show that IT Pros are generally receptive to the proposed pass phrase concept suggested by NIST.

NIST Special Publication 800-63B, “Digital Identity Guidelines,” states: “Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones. This means that password complexity has failed in practice." Verizon's latest Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords, supporting the NIST conclusion.

This password bombshell will make you scratch your head...

OK, this is a headscratcher. This is why we were surprised.  I found it in a Wall Street Journal article today (paywall).

Bill Burr, the author of “NIST Special Publication 800-63. Appendix A.” which covers “traditional” password complexity requirements, has said that password complexity has failed in practice

Whoa Nellie.

Subscribe To Our Blog

Phish Your Users

Recent Posts

Get the latest about social engineering

Subscribe to CyberheistNews