Britons began using the word "vision" in their passwords after prime ministerial advisor Dominic Cummings was caught travelling across the country from his parents' farm in Durham to Barnard Castle "to test" his eyesight, according to research from Pen Test Partners (PTP).
Not only that but the words "covid", "corona" and “lockdown” all increased in popularity over time, according to the infosec biz.
"We have an in-house developed software product called Papa that is used by our consultants, as well as our customers, to perform password audits of Windows domains. Papa can identify base words that are used within an organisation, and see how that trend changes over time," PTP said in a post explaining its findings.
Standard test for eyesight as per Dominic Cummings: Taking your wife and four year old child on a full hour's drive to a castle, stopping at the "riverbank"...
Intriguingly, the use of the word "computer" in passwords declined substantially from peaks seen in October and November 2019, something PTP attributed to people associating the word with the desktop machines seen in their workplaces.
Meanwhile, passwords based on the word itself ("password") remained vastly more popular than other popular words this year, with PTP warning: "If you try "Password1" against every user on a large domain, there is a good chance you'd compromise a domain account. It's just that common a mistake."
Password hygiene is one of those reliable staples of infosec that never goes away. Earlier this year password manager firm Logmein reckoned that two-thirds of people simply recycle the same password or use variations on a basic theme (passw0rd, p4ssword, p455w0rd, etc), a finding that sits uneasily against the National Cyber Security Centre’s advice not to bother expiring users' passwords - though the spy agency offshoot's logic is that regular expiry of old passwords merely encourages users to recycle variations of the old one when setting a new one.
"Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts," said NCSC.
Otherwise, use of a password manager product to generate and store reasonably secure passwords is the standard industry advice. Failing that, NCSC advocates the three unique words method, as popularised by web comic XKCD.
Passwords themselves aren't much good without multi-factor authentication backing them up, though, as US president Donald Trump may or may not have learned earlier this year. Concerningly, though, some orgs still reckon passwords alone are sufficient for securing their networked kingdoms. ®