The holiday season is now in full gear, and many consumers are doing their shopping on their computers at work or, even more likely, on their smartphones. Cyber Monday has evolved from a single-day online shopping event into a much longer, integrated sales period that began with Black Friday or even earlier.
Moreover, many online retailers now offer deals year-round.
During the holiday season, however, there has been a trend among shoppers to use passwords that are all too easy to breach.
Researchers at cybersecurity provider Specops released the findings of a new study that found that, among 800 million compromised passwords, hundreds of thousands of users had chosen memorable, festive passwords.
Leave These Off the List
Among the most frequently used holiday-themed passwords were just one step above “1234” and “Password,” with words like “snow,” “noel,” “santa,” “xmas,” and “turkey” making the top ten. There was nothing to be “merry” (another word that was all too often used) about these choices.
Even some attempts at character substitution were a little too easy, with words like “Chr1stm@s” and “S@nt@” appearing on the list of passwords that could be cracked all too easily.
The question, of course, is why users are creating such obviously simple passwords.
The answer, said Darren James, senior product manager at Specops Software, is “because they’re set by people.”
James told ClearanceJobs via email that it shouldn’t be all that surprising and that, while there is no one to blame, it stems from holiday overwhelm.
“Most people can’t remember more than a handful of passwords, so they tend to choose simple, easy-to-remember ones,” James explained.
Holiday Shopping Complicates Matters
Indeed, consumers are increasingly shopping at a handful of large retailers, and honestly, who hasn’t made many of their purchases on sites like Amazon, eBay, Walmart, and Etsy? Yet there are plenty of specialized retailers that consumers may only visit during the holidays, so it seems logical that we’d see these common festive words used on those sites.
What makes matters worse is that research shows consumers tend to use the same festive passwords across many sites. This is often done because if going to a site for one particular gift or specialty item, the logic may be that if you’re not planning to return, the password doesn’t need to be particularly strong.
The problem is that even if the password is unique to a site or two, any profile can reveal information that hackers and cybercriminals can use in other attacks, such as phishing schemes.
“There’s not much we can do directly to change that behavior apart from education,” said James.
The issue is likely to continue, in part because many consumers still don’t trust password managers, don’t like the “hassle” of multifactor authentication, and therefore will stick with seemingly easy-to-remember passwords.
“They also don’t think they’ll get hacked. It always happens to someone else, right? Wrong!” said James. “Unfortunately, we in security have to protect our users and our company from themselves. We do this by blocking company-related words, already-breached passwords, removing unnecessary complexity, and focusing instead on length (15+ characters), and continuously checking users’ passwords to make sure they haven’t become breached.”
It is up to IT to Monitor the Situation
Since consumers seem not to be learning the lessons, come the holidays, it will be up to the IT pros and cybersecurity experts to take the lead.
“What we can do is use a continuously updated database of known breached passwords, frequently scan against that database daily, and if a password is detected as breached, act on it. Don’t wait and become the next cybercrime headline on the news,” said James.
“On top of that, we need to enforce MFA wherever we can—easier said than done—use passkeys when they’re supported, and consider Zero Trust principles: ‘never trust, always verify,'” James continued. “That means making sure the devices users log in from are trusted and patched.”
This can ensure the Grinch, and cybercriminals, won’t steal Christmas!
