Connect with us






Another set of regulations, another set of discussions between attorneys and clients, now requiring very detailed insight into what is possible on the market from the cybersecurity engineering world: How to make the response practical, effective and valuable is, of course, the goal. Read this blog to the end, and I will show you that the goal is readily attainable.

New cybersecurity regulations first introduced by the New York State Department of Financial Services (“NYDFS”) in September 2016 and taking effect in their final form on March 1 represent the dawn of a new era of cybersecurity regulation. Formally titled “Cybersecurity Requirements for Financial Services Companies” (the “NY Regulations”), these rules are the first foray by a state into the realm of cybersecurity regulation. (The full NY Regulations can be found here and a NYDFS summary here.) They leave behind the tried but not-particularly-true approaches of voluntary risk evaluation (e.g., the NIST Cybersecurity Framework) and post-breach remedial action (such as those regularly required by the Federal Trade Commission) and instead create a comprehensive system, based on periodic mandated risk assessment, designed to result in robust cybersecurity systems capable of preventing cyber incidents, rather than merely evaluating cyber maturity or reacting to data security breaches.

In introducing the draft Regulations, New York Governor Andrew Cuomo asserted that:

New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic, harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.

Clearly, Mr. Cuomo had no illusions about the potential reach or significance of the Regulations, and neither should practitioners, wherever located, with clients in, or even proximate to, the financial services industry. The Regulations contemplate a new, holistic approach to cybersecurity apply to a broad universe of industries operating in the State of New York and are likely to affect regulation far beyond that state’s borders.

Who must comply with the Regulations?

The reach of the Regulations appears to be extraordinarily broad, as might be expected for regulators in “the financial capital of the world.” They apply to “Covered Entities,” defined as “any Person  operating  under  or required  to operate  under  a license,  registration, charter,  certificate,  permit,  accreditation   or similar  authorization [from the NYDFS]   under  the Banking  Law, the Insurance  Law  or the Financial  Services  Law,” but exempt certain very small Entities—those with (1) fewer than 10 employees or independent contractors; (2) less than $5 million in gross annual revenue each of the past three fiscal years; or (3) less than $10 million in it and its affiliates’ GAAP year-end total assets. (Note that these small concerns are still considered “Covered Entities.” and so still must comply with certain portions of the NY Regulations.) It is important to read and consider that definition carefully—it covers a much larger universe than one may expect. Besides banks and other obvious financial institutions, the NYDFS also regulates insurance companies, including health insurers, mortgage lenders, mortgage brokers and any other businesses covered by any of the New York Banking, Insurance or Financial Services Laws. And, because the touchstone of the Regulations is authorization from the NYDFS, the Regulations, by their terms, apply to national and international concerns with headquarters and even substantially all operations, outside of New York, so long as they are operating within the State of New York, under NYDFS authorization and do not fall within the de minimis exceptions provided in the Regulations.

When do the Regulations take effect?

The Regulations become effective March 1, 2017 and, with certain exceptions, are subject to a 180-day transition period. Covered Entities must file their first annual certifications with the NYDFS no later than February 15, 2018.

What do the Regulations require?

The Regulations are intended to create an expansive, integrated, risk-based system to ensure that regulated entities develop and maintain robust cybersecurity capabilities and, therefore, are able to properly safeguard sensitive nonpublic information in their possession. Not surprisingly, with such a lofty goal, they have a large number of largely interconnected “moving parts,” which must fit, and work, together seamlessly. The following are some of the most critical elements of the Regulations.

  • Cybersecurity Program. Each Covered Entity must develop, implement and maintain a Cybersecurity Program, based on its Risk Assessment (discussed below), that performs these core functions:
    • Identify and assess internal and external cyber risks to the security or integrity of information stored on the Entity’s information systems;
    • Create infrastructure and implement policies and procedures to prevent unauthorized access to the Entity’s information systems and use of nonpublic information on such systems;
    • Detect cybersecurity events, respond to such events to mitigate adverse effects and recover and restore normal operations and services; and
    • Meet regulatory reporting obligations.
  • Cybersecurity Policy. Each Covered Entity must adopt a written Cybersecurity Policy, made up of policies and procedures for the protection of its information systems and of nonpublic information stored on those systems. The Cybersecurity Policy must be based on the Entity’s Risk Assessment (discussed below), approved by a senior officer (as defined) or the Entity’s board of directors and must address the following areas to the extent applicable:
    • Information security;
    • Data governance and classification;
    • Asset inventory and device management;
    • Access controls and identity management;
    • Business continuity and disaster recovery planning and resources;
    • Systems operations and availability concerns;
    • Systems and network security;
    • Systems and network monitoring;
    • Systems and application development and quality assurance;
    • Physical security and environmental controls;
    • Customer data privacy;
    • Vendor and third-party service provider management;
    • Risk assessment; and
    • Incident response.
  • Monitoring, Penetration and Vulnerability Testing. The Cybersecurity Program for each Covered Entity (other than those exempt under the de minimis standard) must include a program of ongoing monitoring and testing, developed in accordance with the Entity’s Risk Assessment (discussed below), to assess the effectiveness of the Entity’s Cybersecurity Program. This monitoring and testing regime must include either (1) continuous monitoring or (2) periodic penetration testing (in which the assessors “attempt to circumvent or defeat the security features of an information system”) and vulnerability assessments. In the absence of continuous monitoring, penetration testing must be performed at least annually, to identify vulnerabilities of the Covered Entity’s network security systems and vulnerability testing, including systematic scans or reviews of information systems to identify known vulnerabilities, must be undertaken at least twice annually.
  • Risk Assessment. Each Covered Entity must undertake a periodic Risk Assessment to reassess the cybersecurity risks inherent in its business operations, including its information systems and the nonpublic information it collects and stores. Compliance with a number of other requirements is, under the Regulations, explicitly dependent on the Risk Assessments. These requirements include the Cybersecurity Program, Cybersecurity Policy, Penetration Testing and Vulnerability Assessment and Third-Party Service Provider Security Policy (all discussed herein), as well as Multi-Factor Authentication, Encryption of Non-Public Information and Training and Monitoring. While the original proposal for the Regulations called for the Risk Assessment to be performed annually, the final Regulations remove the “annual” requirement. Instead, the Regulations indicate that the Risk Assessment must be “sufficient to inform the design” of the required Cybersecurity Program. In other words, Covered Entities must undertake Risk Assessments with sufficient frequency to ensure that other provisions of their Cybersecurity Plans remain in compliance with the Regulations.

Other notable requirements under the Regulations include:

  • Chief Information Security Officer. Each Covered Entity (other than those exempt under the de minimis standard) must designate a Chief Information Security Officer (CISO) responsible for overseeing and implementing the institution’s Cybersecurity Program and enforcing its Cybersecurity Policy. The CISO must report to the Entity’s Board of Directors, at least twice annually, on a list of prescribed matters.
  • Third-Party Service Provider Security Policy. Each Covered Entity must have in place policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties.
  • Reporting Requirements. Covered Entities are required to report to the DFS as follows:
    • Within 72 hours after a determination that a “Cybersecurity Event” has occurred. A Cybersecurity Event is an event “that has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.”
    • No later than February 15 of each year, each Covered Entity must certify that it is in compliance with the requirements of the Regulations.

Each Cybersecurity Program also must include:

  • Implementation and maintenance of an audit trail system to reconstruct transactions and log access privileges;
  • Limitations and periodic reviews of access privileges;
  • Written application security procedures, guidelines and standards that are reviewed and updated by the CISO at least annually;
  • Employment and training of cybersecurity personnel;
  • Multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access;
  • Timely destruction of nonpublic information that is no longer necessary;
  • Monitoring of authorized users and cybersecurity awareness training for all personnel;
  • Encryption of all nonpublic information held or transmitted; and
  • Written incident response plan to respond to, and recover from, any cybersecurity event.

What should a Covered Entity do now?

It is clear that the Regulations are here to stay and that compliance will require many Covered Entities to act fast to develop and implement or revise and upgrade their processes and procedures. And, with an initial phase-in period of only six months, they had better act fast. The key is finding a trusted cybersecurity advisor without fail. While law firms and accounting firms may wish to fill this need, the fact is that only genuine cybersecurity engineers can best address many of the requirements.

As noted above, the foundation of the Regulations’ is the Risk Assessment. Everything from the Cybersecurity Program, Cybersecurity Policy, Penetration Testing and Vulnerability Assessment and Third-Party Service Provider Security Policy, to Multi-Factor Authentication and Encryption of Non-Public Information Policies and Training and Monitoring requirements are dependent on the Risk Assessment’s results. So the logical—and necessary—first step is for the Entity to undergo a thorough, state-of-the-art and unassailable Risk Assessment.

Assured Enterprises, Inc. (“Assured”), through its TripleHelixSM and AssuredScanDKV® tools, delivers the state-of-the-art and up-to-the-minute assessment of a Covered Entity’s cyber risk profile based on (1) criteria for the evaluation and categorization of identified cybersecurity risks and threats facing the entity, (2) criteria for the assessment of the confidentiality, integrity, security and availability of the Entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks, and (3) recommendations for how identified risks should be mitigated or accepted. Although it is uncanny, the NY Regulations are actually perfectly geared for these tools from Assured.

Assured’s deep scanning tool, AssuredScanDKV®, provides a critical, and heretofore unobtainable, deliverable for an effective Risk Assessment—an inventory of all known cybersecurity vulnerabilities hidden within the Covered Entity’s software applications. AssuredScanDKV® searches within bundled binary executable files, libraries and DLLs throughout the Entity’s enterprise network, detecting all known vulnerabilities residing in the software. The AssuredScanDKV® output report provides a prioritized list of the identified vulnerabilities, along with the remediation pathway for each. An AssuredScanDKV® scan is an invaluable element of a Risk Assessment, as it illuminates the previously dark and inaccessible corners of the Entity’s cybersecurity infrastructure and provides the Entity acquirer with inputs necessary to construct an effective—and compliant—Cybersecurity Program.

Assured’s proprietary approach enables a thorough understanding of a Covered Entity’s security profile and provides a comprehensive roadmap for mitigating risk and improving its security posture. TripleHelixSM evaluates three strands of essential information:

  • Cyber Maturity Report. Identifies existing vulnerabilities, gaps and weaknesses.
  • Threat Report. Heightens understanding of potential risks by identifying bad actors, state-sponsored hackers, “hacktivists,” organized crime, commercial espionage experts, insider threats and more.
  • Impact Report. Aids in prioritizing mitigation and resource allocation by quantifying the impact a successful data breach could inflict on the Entity.

And, in short order the Covered Entity receives three deliverables:

An Actionable Roadmap

Takes into account the actual cost-effectiveness and workflow issues facing the Covered Entity, and which makes concrete recommendations to improve the cyber health of the Covered Entity. This roadmap takes into account hardware, software, policies, procedures, training, network connections and much more.

A CyberScore®

Just like a FICO® score, Assured’s CyberScore® provides a 3- digit representation of the cyber health of the Covered Entity. The CyberScore® serves as a benchmark of where a Covered Entity is today, and serves to inform the Roadmap of what is possible to do to improve. Then, by refreshing the CyberScore® every six months, just as the NY Regulations call for, it is possible for the board of directors and senior management to measure improvements and make additional, informed decisions, now armed with accurate information. The CyberScore® is backed up by actuarial data and is based on the thousands of data points evaluated by TripleHelixSM.

The Covered Entity’s own Regulatory Compliance Dossier

This Dossier is populated with virtually all of the regulatory, compliance, best standards reports which any Covered Entity may need. PCI, HIPAA, SOX, GLBA, SEC, FFIEC, NCUA, ISO 27001/01, CoBit5 and many more are available and will be all delivered in proper form and with certifications as part of the deliverables. Naturally, the NY Regulations are already incorporated into TripleHelixSM. This is truly one-stop shopping, which reduces impact on the workflow at the Covered Entity and which provides for consistency and accuracy in evaluation.

Assured has already built the precise tools—TripleHelixSM and AssuredScanDKV® to fully satisfy the NY Regulations and to satisfy much more. The company was founded by top notch cybersecurity engineers with extensive experience within the US DoD and Intelligence Community and with a team of professional leaders, which is nothing short of first rate.

If you want to get the best, most comprehensive solution for not only the NY Regulations, consider Assured Enterprises’ solutions. For more information contact us or schedule a demo today.


Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


‘Infamous’ GravityRAT spyware now hits Macs as well as Windows




The notorious GravityRAT spyware, which initially targeted Windows PCs, now also enable attacks against Macs and Android devices.

Remote Access Trojans (RATs) are so-called because they masquerade as legitimate apps (the Trojan part) and then permit the compromised machine to be accessed remotely …

Cybersecurity company Kaspersky describes the GravityRAT malware as ‘infamous’ because it has been used in attacks against even military targets, and enables a huge amount of control.

Bleeping Computer reports on the capabilities of the spyware.

– get information about the system
– search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
– get a list of running processes
– intercept keystrokes
– take screenshots
– execute arbitrary shell commands
– record audio (not implemented in this version)
– scan ports

Kaspersky has long suspected that the tool has been used against other platforms too, and has now found proof of this.

The identified module is further proof of this change, and there are a number of reasons why it doesn’t look like a typical piece of Android spyware. For one, a specific application has to be selected to carry out malicious purposes, and the malicious code – as is often the case – is not based on the code of previously known spyware applications. This motivated Kaspersky researchers to compare the module with already known APT families.

Analysis of the command and control (C&C) addresses module used revealed several additional malicious modules, also related to the actor behind GravityRAT. Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users’ devices from encrypting Trojans, or media players. Used together, these modules enabled the group to tap into Windows OS, MacOS, and Android.

Macs are relatively well protected against trojans because Apple vets apps allowed into the Mac App Store, and by default won’t allow software from other sources to be installed. If a user overrides the default protection, macOS still checks to see whether the app is signed by a legitimate developer.

However, BleepingComputer reports that the group behind GravityRAT uses stolen developer signatures to make the apps appear legitimate.

It isn’t possible to list the infected apps, as GravityRAT mimics a variety of legitimate apps. The best protection is to ensure you only install apps from the Mac App Store or directly from developers you trust. Similarly, don’t plug in cables or devices to your Mac unless you know their provenance.


Continue Reading


Philips consulting’s strategy to cyber security




Many years ago, the firewall was everything. Defense-in depth was a concept defined as layered defense with multiple firewalls on the path. Behind the firewall was a fortress. Organizations designed networks with strong perimeters and demilitarised zones to ensure the crown jewels were well-protected. Attackers had a difficult time trying to break into the firewalls. On the physical layer, Network Admission Control (NAC) technologies were implemented to prevent intruders from having direct access into the network by preventing them from plugging unauthorized devices into the network. Before a device was admitted, it had to meet a minimum requirement defined by the organization.

Those years are gone and maybe gone forever. Cloud computing, Bring Your Own Device (BYOD), Artificial Intelligence, Internet of Things (IoT), VPNs, and Remote Working Capabilities have dramatically changed the way businesses run. These technologies have introduced a level of innovation and disruption that were unimaginable only a few years ago. They have resulted in the collapse of the traditional network perimeter, thereby increasing the attack surface for cyber-attacks. Enterprise networks coverage is today being extended beyond our imagination – outside the traditional datacentres to smartphones, cloud platforms, mobile computers, and IoT interfaces without geographical boundaries. The bad guys now have a plethora of interfaces to launch their attacks on; they do not have to breach the network using traditional social engineering tactics physically. The recent changes in the work environment occasioned by the COVID-19 have further amplified the extension of network boundaries beyond the traditional datacentres. Employees work from home with devices and connections into the enterprise networks that were not originally designed for such. Improvised connections were made to allow functionality because the pandemic came without an announcement.

The danger this poses is that some of these end devices were not originally designed with security in mind. Even if security was a consideration, not so much for enterprise data protection. These devices are most of the time not hardened, and their owners may not understand the effects on the overall organizational security posture. A handful of these devices are installed with default passwords, and most times, these passwords are not changed during or after installation. So it is easy to guess the password by manual methods or using advanced dictionary or brute force attack methods. Another risk posed by these endpoints is the lack of security updates and patches. Because they are sometimes not seen to be part of the enterprise network, they are not included in the patch management program, and their presence introduces high-level vulnerabilities within the enterprise network. It then becomes easier to utilize malware that could tunnel through the firewall to breach the enterprise network, instead of spending months and years trying to break into the firewall or layers of firewalls. In recent years, large-scale attacks have been launched using malware by exploiting known vulnerabilities and security gaps on endpoints. For example, the WannaCry, Petya, and another variant of Petya, the NotPetya were employed to launch attacks on enterprise networks through vulnerable endpoints. Another danger with this trend is potential data leakage because these devices are used to either temporarily or permanently store organizational data.

There is also concern about device loss. If these devices are lost, there is a risk of exposing the organization’s data to unauthorized entities, and that could both result in financial and reputational damage. These dangers are also expanded by the impact of the COVID 19 pandemic, where organizations made ad hoc improvisions to support businesses while employees work from home. As commerce resumes, organizations are beginning to discover some capabilities to support their businesses remotely, and they are also rethinking their business continuity strategies. For some businesses, this is not just a temporal shift, but a change which has permanently altered the operational procedures of the organization.

Legacy cybersecurity strategies, techniques, and investments will not be enough to mitigate the rising cybersecurity concerns introduced by this new way of working. Protection has gone beyond throwing in uncoordinated technical solutions and efforts. Organizations need to rethink a new approach for the protection of their assets within the ever-growing complexity both to remain afloat and also to derive commensurate Returns On Security Investments (ROSI). A well-crafted strategy will ensure that cybersecurity efforts are coordinated within the enterprise, without duplication of efforts and resources, which will, in turn, drive down the cost of implementing cybersecurity initiatives.

To improve the security posture, organisations must do the following:

  1. Continuously monitor the devices, applications, and processes running on the network.
  2. Automate security monitoring and mitigation.
  3. Implement systems that are capable of automatic detection, isolation, and containment of threats within the network.
  4. Ensure that monitoring covers event data, session data, and historical data on endpoint usages, such as past processes, network connections, and other information.

Another measure organizations should take is reducing complexities. The extension of the network boundaries has not stopped organizations from using existing network solutions to protect the enterprise network. However, in a bid to ensure the protection of the on-premise infrastructure and the ones beyond the organizational traditional network boundaries, organizations combine existing technologies with new solutions and the resultant effect is an increase in complexity. To effectively manage security, organizations should put measures in place to ensure a reduction in complexity and enhancing visibility. This can be achieved by unifying all efforts and technologies for managing both on-premise and off-premise infrastructure in a single platform. Beyond technical controls, organizations should develop procedures, standards, and policies for acceptable use of organizational resources.

Over the years, PCL. has supported organizations in developing tested cybersecurity and business continuity strategies to ensure that organizations can protect their assets. We provide managed security and assurance functions to ensure that operationally, organizations are well protected against destructive cybersecurity incidents. Contact us today, send an email to [email protected] to start the engagement.


Continue Reading


The 20 Most Hacked Passwords in the World: Is Yours Here?




Which password gets hacked more than any other password in the US?

  • password

What about in Germany?

  • 123456

In Russia?

  • qwerty

This report summarizes the findings of the SafetyDetectives research team who collected over 18 million passwords to find the 20 most used, most predictable, and ultimately most hacked passwords all over the world.

The data used in this report was gathered from several years’ worth of leaks found on hacking forums, marketplaces, and dark web sites — usually sold as treasure troves of sensitive information for criminals. (Note: We only analyzed the data — no identifying information like usernames or banking details were compromised while conducting this research.)

Our goal was not to simply put together another “most used/hacked passwords” list. Instead, we wanted to see if there were any obvious patterns occurring around the world which would cause hackers easier access to user information, regardless of language or location.

Non-English speaking countries are often underrepresented in cybersecurity research, but non-English speakers are still vulnerable to cyber crime. It’s important to stay protected on the internet no matter where you live or what language you speak. And it all starts with a password manager such as Dashlane and an antivirus – NortonMalwarebytes & Bitdefender are some of our top recommendations.

Over 18 Million Passwords Analyzed

We collected and analyzed a total of 18,419,945 passwords.

Around 9 million passwords were from the general population:

  • From various worldwide databases, we collected 9,056,593 passwords
    • Note that there’s some overlap with other populations.
  • From hacked .edu users, we collected 328,000 passwords.

The remaining 9 million passwords were country-specific:

  • Germany — 783,756
  • France — 446,613
  • Russia — 5,614,947
  • Italy — 49,622
  • Spain — 459,665
  • USA — 1,680,749

We looked at this from a lot of different angles to identify the weakest and most insecure passwords in the world.

For each population, we identified:

  • The top 20 most used passwords (and the top 30 overall).
  • The most popular password patterns.
  • Specific cultural references to that population.

We also looked at:

  • How names found in email addresses are used in passwords. We specifically looked at the use of first names in “[first_name].[last_name]@[email_provider].com” and address names in “[address_name]@[email_provider].com”.
  • How these common passwords compare to the “Hacker’s List” – the list of passwords that are most often used by security researchers for dictionary attacks. (“Dictionary attacks” refers to trying many different common passwords until the right one is guessed.)

Note: Many of the passwords analyzed in this report would not be allowed to be used by sites that have password strength checks in place.

Top 30 Most Used Passwords in the World

Top 30 Most Used Passwords in the World
  1. 123456
  2. password
  3. 123456789
  4. 12345
  5. 12345678
  6. qwerty
  7. 1234567
  8. 111111
  9. 1234567890
  10. 123123
  11. abc123
  12. 1234
  13. password1
  14. iloveyou
  15. 1q2w3e4r
  16. 000000
  17. qwerty123
  18. zaq12wsx
  19. dragon
  20. sunshine
  21. princess
  22. letmein
  23. 654321
  24. monkey
  25. 27653
  26. 1qaz2wsx
  27. 123321
  28. qwertyuiop
  29. superman
  30. asdfghjkl

General Password Trends in the World

General Password Trends in the World
  • The word “password” and its slight variations (e.g. “password1”) are very popular.
  • Common words and phrases (“letmein”, “iloveyou”, “princess”, “superman”, etc.) are also widely used.
  • Keyboard patterns remain popular — 25% of the top 30 most common passwords are keyboard patterns. “qwerty” is the most used one by far, but diagonal keyboard pattern variations like “1q2w3e4r” and “zaq12wsx” are also well represented.

Numbers are the Most Common Password Pattern

Numeric patterns are worldwide favorites when it comes to creating a weak, easy-to-guess password. Increasing (e.g. 123456) or repetitive (e.g. 111111) numeric patterns could be observed in 8 out of the top 10 and 13 out of the top 30 most used passwords.

Analyzing passwords by country, we notice a few more things:

  • The word “hello” is a popular password choice everywhere (in their respective languages), present in the top 20 password lists of nearly all countries we analyzed.
  • The soccer-loving nations of Italy and Spain both have names of prominent soccer teams in the top 10 of their most common passwords.
  • German and Spanish users favor numeric patterns.
  • Russian users more often choose keyboard patterns for passwords than other countries.

Germany – Top 20 Most Used Passwords

Germany – Top 20 Most Used Passwords
  1. 123456
  2. 123456789
  3. 12345678
  4. hallo123
  5. hallo
  6. 12345
  7. passwort
  8. lol123
  9. 1234
  10. 123
  11. qwertz
  12. ficken
  13. 1234567
  14. arschloch
  15. 1234567890
  16. 1q2w3e4r
  17. killer
  18. sommer
  19. schalke04
  20. dennis

The most common password pattern: German users show a preference for simple, easy-to-guess increasing numeric passwords, starting with “123” and going all the way to “1234567890”. Such passwords constitute nearly 50% of the German top 20 list.

Other password trends: The word “passwort” (“password”) and “hallo” (“hello”) are popular choices, and so are keyboard patterns using the German keyboard layout (e.g. “qwertz”).

France – Top 20 Most Used Passwords

France – Top 20 Most Used Passwords
  1. azerty
  2. marseille
  3. loulou
  4. 123456
  5. doudou
  6. 010203
  7. badoo
  8. azertyuiop
  9. soleil
  10. chouchou
  11. 123456789
  12. bonjour
  13. nicolas
  14. jetaime
  15. motdepasse
  16. alexandre
  17. chocolat
  18. coucou
  19. camille
  20. caramel

The most common password pattern: While the French version of “qwerty” – “azerty” – is number one, common French words and phrases requiring little to no translation – like “marseille”, “bonjour”, “jetaime”, “soleil”, or “chocolat” – are also very popular.

Other password trends: Increasing numeric patterns are notably less popular with French users than with the worldwide population. Only 3 out of the top 20 French passwords are numeric. This can likely be explained due to French keyboards requiring users to press “Shift + number” instead of only the number.

Russia – Top 20 Most Used Passwords

Russia – Top 20 Most Used Passwords
  1. qwerty
  2. 123456
  3. qwertyuiop
  4. qwe123
  5. 123456789
  6. 111111
  7. klaster
  8. qweqwe
  9. 1qaz2wsx
  10. 1q2w3e4r
  11. qazwsx
  12. 1234567890
  13. 1234567
  14. 7777777
  15. 123321
  16. 1q2w3e
  17. 123qwe
  18. 1q2w3e4r5t
  19. zxcvbnm
  20. 123123

The most common password pattern: All of the top 20 Russian passwords are numbers and patterns, and many of them are different from worldwide trends. Russian users often choose diagonal keyboard patterns involving numbers and alphanumeric characters – for example, “1qaz2wsx” or “1q2w3e4r”.

Other password trends: Russian users are the least likely of the populations we analyzed to use meaningful words – in Russian or English – as passwords.

Italy – Top 20 Most Used Passwords

Italy – Top 20 Most Used Passwords
  1. 123456
  2. 123456789
  3. juventus
  4. password
  5. 12345678
  6. ciaociao
  7. francesca
  8. alessandro
  9. giuseppe
  10. martina
  11. francesco
  12. valentina
  13. qwertyuiop
  14. antonio
  15. stellina
  16. federico
  17. federica
  18. giovanni
  19. lorenzo
  20. asdasd

The most common password pattern: The first names like “francesco”, “alessandro”, or “guiseppe” are the most popular password choices for Italian users. Such passwords are particularly insecure and easy to guess when used in combination with an email mentioning the same first name – for example, [first_name]@[email_provider].com. Unfortunately, this practice is still very common.

Other password trends: This soccer-crazy nation has “juventus” as the #3 top password choice.

US – Top 20 Most Used Passwords

US – Top 20 Most Used Passwords
  1. password
  2. 123456
  3. 123456789
  4. 12345678
  5. 1234567
  6. password1
  7. 12345
  8. 1234567890
  9. 1234
  10. qwerty123
  11. qwertyuiop
  12. 1q2w3e4r
  13. 1qaz2wsx
  14. superman
  15. iloveyou
  16. qwerty1
  17. qwerty
  18. 123456a
  19. letmein
  20. football

The most common password pattern: US users are equally likely to use an increasing numeric pattern, keyboard pattern, or a common word or phrase as a password.

Other password trends: 25% of the US’s top 20 passwords contain “qwerty” as an exact or partial match.

Spain – Top 20 Most Used Passwords

Spain – Top 20 Most Used Passwords
  1. 123456
  2. 123456789
  3. 12345
  4. 12345678
  5. 111111
  6. 1234567890
  7. 000000
  8. 1234567
  9. barcelona
  10. 123456a
  11. 666666
  12. 654321
  13. 159159
  14. 123123
  15. realmadrid
  16. 555555
  17. mierda
  18. alejandro
  19. tequiero
  20. a123456

The most common password pattern: Spanish users show a preference for numeric patterns like German users do.

Other password trends: Out of the 5 common words in the top 20 list, 2 are the names of famous Spanish soccer teams (“barcelona” and “realmadrid”).

Top 20 Most Used Passwords for .edu Users

Spain – Top 20 Most Used Passwords

Students and faculty at university don’t typically regard their .edu email addresses as important, so they tend to create easy-to-guess passwords.

The 20 most common .edu passwords are:

  1. 123456
  2. password
  3. 123456789
  4. secret
  5. 12345
  6. password1
  7. football
  8. baseball
  9. 123123
  10. abc123
  11. soccer
  12. 1234
  13. qwerty
  14. sunshine
  15. basketball
  16. monkey
  17. ashley
  18. princess
  19. 12345678
  20. 1234567

The most common password pattern: Educational domain users are likely to choose common passwords – these passwords constitute 60% of the overall top 30 list.

Other password trends: .edu users often pick names of sports for their insecure passwords, and they are more likely to do so than any other category of users analyzed in this report. The increasing numeric passwords they use tend to be short – 6 out of the 8 numeric patterns on the list are under 8 characters long.

Analysis: The Most Used Word Patterns in Passwords

This section summarizes our analysis of commonly used word patterns within passwords. Numeric sequences (such as “123456” etc.) are excluded from this section’s analysis. (Note: We include numeric patterns in our analysis later on.)

Worldwide Trends

Analysis: The Most Used Word Patterns in Passwords
  • The word “password” was the most popular choice with worldwide users, as well as with .edu users and the US population. Its variations in other languages, such as “passwort” (German) or “motdepasse” (French), were also found in the top 20 for their respective country.
  • Also popular worldwide and across many countries are words like “angel”, “dragon”, and “superman” which are culturally relevant to a broad category of users.
  • Most European users (particularly Italian and Spanish) prefer using first names as passwords.
  • Russian users differ from the other populations in our study. They prefer keyboard patterns over meaningful words, even when using alphanumeric characters as passwords.

First Names in Passwords

The use of first names inside passwords is very common, especially first names that are included in email addresses — 4.19% of worldwide users do this. Italians (4.13%), Russians (3.79%), and Germans (2.51%) are the global populations most likely to use these extremely easy-to-hack passwords.

First Names + 123 Patterns in Passwords

A “123” pattern added either before or after the email address’s first name was observed in about 0.03% of the worldwide population’s passwords. While adding random numeric patterns to passwords is a great strategy, this simple pattern is far too common, making these kinds of passwords very easy for hackers to guess.

Famous People, Brands & Pop Culture Figures in Passwords

Analysis: The Most Used Word Patterns in Passwords

In our analysis of 9.3 million users worldwide, we frequently found pop culture and historic figures used either as part of a password or an exact match.

Not surprisingly, we found that cultural references influenced password choices quite heavily.

“Christ” and “Jesus” led the way with 7,432 and 7,414 respective mentions in passwords.

Three brands – “Google” (7,057 mentions), “Apple” (6,240), and “Samsung” (2,866) – also made it to the top 10.

The popular TV series “Friends” was another top choice with 4,289 mentions, while “Starwars” was used 2,237 times.

The popular sports figure “Ronaldo” was at the 10th spot with 1,265 mentions.

Hacker’s Top 10 Most Used Passwords List Explained

To put the findings of our report into perspective, we compared them with the top 10 list of the most used passwords that hackers and security researchers use when testing login security.

We used the following resources to create the Hacker’s Top 10 most used passwords list:

  • John The Ripper (password cracking program)
  • NMAP (network discovery tool)
  • Security researchers’ most used passwords lists (sourced from Github)
  • Honeypot credentials from real world attacks (sourced from Github)

Hacker’s Top 10 List of Most Used Passwords

Hacker’s Top 10 Most Used Passwords List Explained

  1. 123456
  2. password
  3. 12345678
  4. 1234567
  5. qwerty
  6. 654321
  7. 111111
  8. 123123
  9. 1234567890
  10. iloveyou

This comparison shows that, overall, the most insecure passwords to use across all countries and populations are “123456” and “12345678” – two of the most obvious, easiest-to-guess numeric patterns which meet the minimum 6 to 8 character password length requirement that most web sites have.

Hacker’s Top 10 Most Used Passwords List Explained

“123456” is #1 on the Hacker’s List for a reason – this password is THE most popular one worldwide (0.62% of 9.3M passwords analyzed). It also holds the:

  • #1 spot for .edu, Germany, Italy, and Spain users.
  • #2 spot for USA and Russia users.
  • #4 spot for France users.

Match Between Countries’ Top 10 and Hacker’s Top 10

Here’s how the 10 most common passwords in various populations matched the Hacker’s Top 10 list:

  • Worldwide – 80% match
  • USA, Spain – 50%
  • Italy, Russia – 33%
  • Germany – 25%
  • France – 10%

The overall password trends analyzed from worldwide users match up pretty well with this list, making the most used passwords in the world extremely prone to dictionary attacks. Those users in the US and Spain with these passwords are also extremely susceptible to hacks.

Additional Insights on Worldwide Password Trends

Additional Insights on Worldwide Password Trends
  • The Italian and US populations are the ones most likely to use first names and/or other words that are part of their email credentials in their passwords. Overall, up to 4% of users worldwide do this.
  • The Russian population uses keyboard patterns and numbers for their passwords more often than other populations we analyzed.
  • The phrase “iloveyou” in local languages is a popular choice for passwords.
  • Passwords like “111111”, “000000”, or “27653” (possibly spelling “broke” on the phone dialing pad) are more likely to be chosen when the user accesses a mobile site or an app from their phone.

How to Improve Password Strength

With hacking rates on the rise in 2020, most people become victims because they don’t create passwords that are unique, hard to guess, and secure. And that makes sense. Without a password manager, it’s impossible to remember hundreds of unique, challenging passwords for every single login.

5 tips for improving password strength:

  1. Don’t reuse passwords on any account.
  2. Use a password that is longer than 8 characters.
  3. Don’t include any words in your email address as part of your password.
  4. Always include numbers, capital letters, and special characters in passwords. But many passwords start with a capital letter and end with a number (often the current year). Don’t follow that pattern.
  5. Don’t include common names, common cities, or common cultural references.

Bonus tip: You can check your password strength using SafetyDetectives’s password strength analyzer.

The best and easiest way to achieve all of these things is by using a password management system. A good password manager will create secure passwords for all of your accounts, autofill them when logging in, and have high levels of encryption so no one can steal your information. We recommend a low-cost premium password manager like Dashlane, but any of the best password managers on the market will guarantee your passwords are strong, secure, and protected.


Continue Reading


Copyright © 2020 Inventrium Magazine

%d bloggers like this: