View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Software
October 9, 2009

Password security too weak to defend dictionary attacks

Research shows 29 million hit by data loss in UK

By CBR Staff Writer

Phishing attacks that led to over 10,000 personal passwords from Hotmail, Gmail or Yahoo Mail accounts being disclosed this week have confirmed people will routinely use the weakest of passwords to secure their online identity.


Statistical analysis of the passwords by web application security firm Acunetix, revealed the most common was 123456. Some 19% of the leaked passwords used only numerals, and 42% lower case letters only.

Security experts advise passwords should be a mixture of letters, numbers, and symbols, and Google has recommended people choose a favoured phrase or statement and use the first letter of every word in that. Both will help minimise the risk of dictionary attacks.

MessageLabs said there was evidence of an increase in the number of brute-force password breaking attempts, where dictionary attacks are used against online webmail accounts, perhaps using POP3 or webmail to conduct the attacks.

“Users with simple or weak passwords are the most vulnerable. On the website, an attacker will be asked to solve a Captcha puzzle to prove they are a real person. Captchas can be easily bypassed using a variety of Captcha-breaking tools,” MessageLabs said.


Content from our partners
Infosecurity Europe 2024: Rethink the power of infosecurity
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond

The company noted another problem this is developing, in addition to the security of emails.

“A user’s unique email address is often used to authenticate a number of web sites, including social networking sites and instant messaging on a public IM network,” said Paul Wood of MessageLabs. “If your email address has been compromised, not only should you change the password there, you should also change it on any other site that uses that email address as a log in ID.”

Research commissioned by encryption supplier Stonewood Group has revealed that people are becoming increasingly concerned about these growing ID fraud threats, with 66% worried that they will be affected by identity loss in the future.

Ahead of next week’s National ID fraud week in the UK, Stonewood today called for the Government to set tougher penalties for Data Protection Act breaches, saying the latest figures show it costs Britons over £2 billion a year with as many as 29 million people affected by data loss in the past year alone.

Chris McIntosh, Stonewood CEO said, “Businesses can easily protect data by using hardware encryption and authentication, eradicating any risk of data loss and helping reduce the growing ID fraud threat. The problem is, until businesses understand there are massive consequences to DPA breaches, including heavy fines and the threat of jail, they are not going to invest in resolving the problem.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.