There is, I am told, an ongoing debate as to who would win in a fight between the Marvel comic-book characters of Loki and Thor. As far as movie-based conflicts go, Loki’s shape-shifting trickery hasn’t been enough to better the pure strength of Thor.
Loki has, however, beaten Thor in one recent battle, which has negative implications for business and for you individually. Stick with me, and I’ll explain.
My superhero power would be password creation
If you had a superhero power, what would it be? I’m guessing that password creation wouldn’t likely be top of your list. Yet superheroes and passwords do appear to have a connection, albeit in a bad way. According to newly published research from password specialists Specops, superhero names cropped up more than a million times in a database of already breached credentials.
So which two comic-book characters topped the most frequently used list? Yep, you’ve guessed it, Loki and Thor.
This is one battle that Loki won, with 151,000 occurrences of the name as a password compared to Thor, a very close second on 148,000. The Marvel universe didn’t dominate the top of the list, though; DC took the following five places with Robin, Joker, Flash, Batman and Superman.
The peril of popular password choices
Am I surprised by this turn of events? Nope. I mean, even if your account provider doesn’t limit your password choice by character type or length, most people still go for some memorable word or other. Indeed, earlier this year, I reported how the most common method of password management was memory alone, with 59% going down that insecure route.
MORE FOR YOU
More relevant research from last year analyzed more than 275 million passwords found within databases of credentials from breaches. Of these, 56% were not unique. That’s nearly 153 million passwords that had been used more than once. While 123456 remained the most commonly used password of 2020, with 2.5 million appearances on the list, every single one of them represents a security failure.
The truth is that dictionary words, names (including superheroes) and dates do not secure passwords make. Nor, for that matter, do oft-repeated ‘clever’ character substitutions as criminals have long since figured out those, and they will also fail the ‘can this password be cracked quickly’ test most of the time.
Easy to remember passwords most often, although there are exceptions such as the use of passphrases that link several seemingly unconnected words together, mean insecure ones. Even if you use a passphrase, that’s fine for a single account, but how do you remember multiple passphrases without weakening your security posture?
Reusing passwords across accounts will result in even the strongest, created using a random password generator and passing the ‘goodness me that’s a bloody long password’ test, being diluted to become as weak as dishwater. It only takes one data breach that exposes that superhuman-strength password, and all those other sites and services become vulnerable to compromise.
It’s not like there is any lack of high-profile data breaches where user passwords are scooped up and made available for cybercriminal use, after all. The number of breached accounts in the Have I Been Pwned database, where you can freely search to see if any of yours are amongst the more than 600 million real-world passwords that have been exposed to date.
I can’t remember my password
I have, as of the current count, 259 passwords.
All are more than 25 characters in length, complex and random. I could never remember all of them because I do not have a savant memory. Also, because I don’t know what 258 of them are.
Even the remaining password, the master that unlocks the encrypted vault where the rest are stored, isn’t anything memorable. It exceeds 50 characters and is just a random jumble of alphanumeric and special keyboard characters. I rely upon two things to summon up the superpower to unlock my password manager after a system reboot or when 30 days have expired since it was last input: muscle memory and a piece of paper with it written on.
The latter, I should add, being in a place at home where it’s very unlikely to be found by any thief. If they did find it, then the password is obfuscated within a sheet of text, forming the most boring wordsearch puzzle you’ve ever seen. Nevertheless, I can find it quickly as I know both the first and final three characters off by heart.
Getting the password management message across
So, I guess the big question is how do we, the cybersecurity industry, businesses, and the media, get the password hygiene message across to an audience that still prefers to use superhero or pet names despite high-profile coverage of data breaches?
Sean Wright, the principal application security engineer at Immersive Labs, admits that password hygiene continues to be a problem and industry messaging around this needs to change. “I believe one of the biggest reasons is that we as humans generally don’t change habits easily,” Wright says, “so, perhaps one approach we can look at is simply blocking known weak passwords. Some organizations already do similar things, but this could provide greater protection if it were more widespread.”
Darren Siegel, a product specialist at Specops Software, advises that businesses should implement “an enforceable password security policy that is taught to employees within the broader security awareness training initiatives.” This password policy should, at the very least, “mandate long and strong passwords; continually detect, remove and block leaked passwords, and secure self-service and IT service desk-enacted password resets and unlocks.”
When it comes to individuals, Jake Moore, cybersecurity specialist at ESET, recommends using a password manager. “Since a password manager takes care of the memory retention part, every password can be a long, complex, totally random set of characters,” Moore says. “This means brute-force crackers become inefficient. To bolt on an extra layer of protection,” Moore continues, “I would advise coupling up each online account with multi-factor authentication in the form of an authenticator app for extra safety.”
The top 40 most used superhero passwords
And, in case you were wondering, the 40 most used superhero character names in breached credential databases were, in order:
Loki, Thor, Robin, Joker, Flash, Batman, Superman, Vision, Falcon, Penguin, Hulk, Wanda, Venom, Spiderman, Ironman, Katana, Hydra, Wolverine, Gambit, Punisher, Hawkeye, Groot, AntMan, Deadpool, Thanos, Catwoman, Magneto, Riddler, Cyclops, Avengers, Mystique, WonderWoman, Aquaman, BlackWidow, Gamora, TwoFace, Nightcrawler, BlackPanther and GreenLantern.