Euro Security Watch with Mathew J. Schwartz

Access Management , Identity & Access Management , Security Operations

Death to 'Fluffy': Please Stop With the Pet Name Passwords

Pets, Sports Teams, Notable Dates and Family Member Names Predominate, Experts Warn
Death to 'Fluffy': Please Stop With the Pet Name Passwords
Love your cat, but not as a password. (Photo: Kevin Dooley via Flickr/CC)

Loving your pet and creating tough-to-crack passwords should remain two distinctly separate activities.

See Also: Live Webinar | Special Delivery! Defending and Investigating Advanced Intrusions on Secure Email Gateways

Unfortunately, Britain's National Cyber Security Center reports that more than 1 in 6 British people admit to using the name of a pet as their password.

An independent survey conducted for the NCSC - which is the public-facing arm of intelligence agency GCHQ - found that many individuals appear to favor simple passwords that they can remember. Hence, respondents say they often base passwords on:

  • Pet names - 15%;
  • Family member names - 14%;
  • A significant calendar date - 13%;
  • Favorite sports team - 6%;
  • Using the word "password" - 6%.

The NCSC is using National Pet Day, which is Sunday, as the occasion to remind people to practice good password hygiene. But it's also offering a reminder to businesses to help equip their employees to always use strong, unique passwords across every site and service.

"We may be a nation of animal lovers, but using your pet’s name as a password could make you an easy target for callous cybercriminals," says the NCSC's Nicola Hudson. “I would urge everybody to visit and follow our guidance on setting secure passwords, which recommends using passwords made up of three random words."

6 Security Essentials

The NCSC recommends individuals ensure they're following six practices:

  • Use a strong and separate password for email: Popping an email account can give an attacker a way to reset passwords across numerous services.
  • Create strong passwords using three random words: "Do not use words that can be guessed (like your pet’s name)," NCSC says. "You can include numbers and symbols if you need to. For example, 'RedPantsTree4!'"
  • Save your passwords in your browser: Chrome, Safari and Edge all offer this capability. "It is safer than using weak passwords, or using the same password in more than one place," NCSC says.
  • Turn on two-factor authentication: The best TFA involves using apps from Google and Microsoft, which can also be set to require biometric verification via the device. Less good - but better than nothing - are one-time codes that get sent via SMS. Attackers can use SIM-swapping attacks to intercept these, but doing so takes additional time and effort, which criminals prefer to avoid whenever possible.
  • Keep devices updated: Updates often include fixes for critical security flaws. So it should be a no-brainer to install them as quickly as possible.
  • Always back up your data: Ransomware attacks and even technical issues - for example, with updates - can leave people without a working copy of their data, including any lists of passwords. Ideally, enable automatic backups - for example, to the cloud, as well as to devices that can be physically unplugged from a PC - to avoid problems.

Businesses must do more, including implementing defenses against phishing - wherein attackers attempt to trick users, often to share their password - as well as securing devices and nuking malware. They can also set and maintain strong password security policies.

Recommendation to all businesses: Give your employees a password manager. Such software generates unique passwords and stores them for easy retrieval via a smartphone or tablet app or a cloud-based service.

Such software is not invincible. But it make life more difficult for would-be attackers. I'm an avid user because I know that if any site I use suffers a data breach, I can easily pick and use a new password and not worry about the one that's in circulation.

The Simplicity Imperative

SplashData's "worst passwords of 2018," based on its review of 5 million passwords that leaked on the internet last year, compared to their prevalence in 2017 data dumps

For me, using a password manager is the simplest approach, because it lets me outsource all of my password thinking. But the NCSC's alert is a reminder that many people still prefer to just pick and reuse simple passwords across multiple sites.

The Brits, of course, aren't the only offenders. In 2018, an angry 20-year-old apparently breached the email, social media and cloud service accounts of 1,000 German politicians, celebrities and journalists (see: Why Are We So Stupid About Passwords? German Edition).

"Bad passwords were one of the reasons he had it so easy," Minister of the Interior Horst Seehofer told reporters at the time, the Guardian reported. "I was shocked at how simple most passwords were: 'ILoveYou', '1,2,3.' A whole array of really simple things."

People using - and reusing - poor passwords has persisted for years. A review by Keeper Security of passwords that became public due to 2016 data breaches found that 1 in 6 were "123456" (see: Why Are We *Still* So Stupid About Passwords?).

If that sounds familiar, it might be because that choice was the most-seen password in 2018, 2017 and likely back to the dawn of the password age.

Long Live the Death of the Password

The underlying problem: Passwords are a pain. Passwords are out of control. Passwords are doing things their designers never envisioned.

In the early 1960s, the Massachusetts Institute of Technology's Compatible Time-Sharing System program began using passwords to restrict access to a system with multiple accounts.

"The key problem was that we were setting up multiple terminals, which were to be used by multiple persons but with each person having his own private set of files,” Fernando Corbató, who headed the MIT program, told Wired in 2012. “Putting a password on for each individual user as a lock seemed like a very straightforward solution."

In the early days of the internet, many websites began demanding a password. But digitally speaking, life was simpler then - for consumers, very little of substance was online, and thus passwords had little to protect.

While the death of the password is always predicted as being just around the corner, passwords are still being used to protect everything from our online bank and e-commerce accounts to our genealogical details and DNA test results.

Reused Passwords Easy to Automatically Hack

Unfortunately, password reuse continues to make it easy for criminals to access accounts. By breaching a site, or buying a list of breached credentials - typically email addresses serving as usernames, plus passwords - attackers can practice credential stuffing, in which they attempt to use these credentials across a number of sites.

To better block the threat of reused passwords - and avoid being blamed if a hacker accesses a user's account by reusing credentials from another site - some services and sites, such as Facebook, monitor public data breaches to see if any users have an email and password that matches what's appeared in another dump. If so, then the site can proactively lock the account and tell the user to pick a new password.

For criminals, time is money. Credential stuffing and dictionary attacks - testing known usernames with commonly picked passwords - are easy to automate and run at scale. Using strong, unique passwords across every site you use helps foil these types of attacks.

Typing "Fluffy" or "Fido" as a password might be tempting. But taking a few simple steps - such as creating passwords using three different words, or even better, using a password manager - helps block criminals from using our passwords against us. Why make life any easier for criminal hackers?

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.