How hackable are our passwords? Very... according to new IET research

New research from the IET reveals some worrying insights into the passwords we use for our internet-enabled devices, and some top tips about what we can do to make ourselves more secure. 

Today is World Password Day, which takes place every year on the first Thursday in May to promote better password habits.

Passwords have been in the news already this past week with the UK government having enforced new regulations – the Product Security and Telecommunications Infrastructure (PSTI) Act –  that require manufacturers of internet-connected devices to implement minimum security standards against cyber threats. 

These new laws include manufacturers banning the use of weak or easily guessable default passwords such as ‘admin’ or ‘12345’. If the password is common, the user must be given the opportunity to change it on start-up. 

According to new research by the IET, easy-to-access passwords are crackable in less than one second.

This includes using predictable passwords such as a significant date, like your birthday, or a pet’s name. Often, we use these same weak passwords across multiple websites and devices. And some of us don’t even change the manufacturer’s default password once we purchase a new device. 

The IET has carried out this research into our password pitfalls to help raise awareness of how vulnerable we are and to provide useful tips and insights to bolster our defences against cyber threats.

For instance, 38% of people believe that replacing letters with numbers, such as p4$$w0rd, is a more secure password, and 45% think it makes them harder to guess, but this is not the case.

Worryingly, the stats also reveal that only one in five people can correctly identify a secure password over a compromised one, despite admitting they are scared about being hacked in the future (65%) and believe hackers are becoming more inventive (84%).

“In our evolving online world, having strong passwords is more important than ever as hackers are targeting multiple accounts of victims due to weak and predictable passwords,” said cyber-security expert and IET fellow Dr Junade Ali.

“If you use the same password for every website and the password is breached from one site, all sites can be compromised without the attacker needing to try any other passwords - this is known as credential stuffing.”

To strengthen your defences against cyber threats, the IET has outlined 10 top tips below:

1. Use randomly generated, long, unique passwords for each website.
2. When it comes to passwords, longer is generally better.
3. Having a password created from three random words is more secure than having a short complex password.
4. Use a strong and separate password for your email account. If someone gains access to your email account, they can often reset passwords for other accounts.
5. Use a password manager to store your passwords and to alert you if they have been involved in a data breach.
6. Enable two-factor authentication where possible.
7. Whether to the cloud or an external hard drive, back up important data.
8. Consider enabling the PIN code on the SIM card on your phone to protect your accounts if your phone is stolen.
9. Install the latest security updates for your device and avoid buying devices which are no longer supported by the manufacturer to get updates.
10. It's safer to use dedicated authenticator apps than to get two-factor authentication codes over SMS text messages.
     

Ali welcomes the government’s new cyber security laws, particularly the onus put onto manufacturers’ to ban the use of predictable and default passwords.

He said: “Poor cyber security on smart devices is not just a risk to consumers themselves – who put smart devices in their homes and trust them to control key aspects of their lives – but it’s also a risk to critical national infrastructure, as we have seen a variety of large-scale attacks originate from these devices.”