In 2016, hundreds of thousands of IoT devices were hacked due to the use of insecure default passwords. DDoS source codes like Mirai scan the internet, searching for these poorly-protected devices, upon which they flood them with various forms of attack, resulting in anything from stolen information to device manipulation and sabotage of operations.
Earlier this year, security firm Keeper conducted a study of 10 million passwords that became public through data breaches that occurred in 2016. As a result, the 25 most common passwords have been revealed:
The most common passwords specifically targeted by Mirai are much the same if not worse, with devices being protected by passwords such as “admin”, “user” and even no password at all.
According to Keeper, the list of the most common passwords has changed little over the past few years, despite increased user education. In regard to IoT devices, this suggests that the onus must be on the developer to ensure users are automatically prompted to set a password when setting up the device, disenabling the use of default passwords. The developer should also implement controls that enforce minimum length and complexity requirements, multifactor authentication and other security measures.
This need for controls dictating minimum length and complexity requirements is reinforced by the fact that four of the top 10 passwords and seven of the top 15 are six characters or less. According to Keeper, these passwords can be unscrambled in seconds.
Furthermore, passwords such as “1q2w3e4r” and “123qwe” are examples of sequential key variations, which some users may adopt thinking they are safer than passwords such as “qwerty” or “12345”. However, dictionary-based password crackers know to look for sequential key variations and will not be fooled.
Some general rules for creating a secure password:
- Create a password that is at least 8 characters, with a mixture of letters (upper and lower case), numbers and other characters
- Do not use common phrases or words found in a dictionary
- Do not use composition rules (eg. device name + year or user + factory name)
- Do not keep passwords in text files, spreadsheets or other unprotected documents