Report: Dog-name passwords not enough to protect businesses
Security vendor urges businesses to beef up password security
Businesses have been urged by security firm Trustwave to encourage the creation of more complex passwords, after the vendor's latest research found thousands of staff simply use their dog's name to log onto their office network.
Trustwave analysed a sample of 626,718 passwords and within just a few minutes were able to recover more than half of them. Over the next month, the firm was able to guess the passwords of 92 per cent of the sample.
It claims that many users and IT administrators alike believe that using a mix of upper and lower-case letters and numbers is enough to outwit hackers, but that the assumption is incorrect.
"The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools," it said.
"Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password."
Of the passwords it cracked, almost 3,000 were "Password1", with "Hello123" and "password" coming in second and third place respectively.
But even those creating seemingly personal passwords fell into common traps, it added, claiming that almost 10,000 users had a password made up of one of the top-100 dog names.
According to Battersea Dogs and Cats Home, the most popular names for dogs are Jack, Buster, Bella and Charlie.
Another 20,000 passwords Trustwave analysed contained one of the top-100 names for baby girls and boys.
Trustwave urged businesses to do more to crack down on users' weak passwords.
"Weak or default passwords contributed to one third of compromises [we] investigated," it said.
"Therefore, annihilate weak passwords [and] implement and enforce strong authentication policies. Educate users on the value of choosing longer 'pass-phrases' instead of simple, predicable, easy-to-crack passwords.
"Deploy two-factor authentication for employees who access the network. This forces users to verify their identity with information other than simply their username and password, such as a unique code sent to a user's mobile phone."