James Thew - Fotolia

Poor passwords still putting UK firms at risk

Poor password practices are still putting UK citizens and the companies they work for at risk, a survey reveals

Britons are still failing to protect online accounts from hackers with complex passwords, creating what could be a costly vulnerability for business, a study shows.

A survey by independent research agency Atomik Research found that nearly a quarter of more than 1,000 UK residents routinely use their name and data of birth as online passwords.

One in 10 respondents also admitted using just one or two different passwords for their online activities, according to the survey commissioned by Cyber Security Europe.

As a result, many are putting their personal and employers’ data at huge risk of being hacked due to the simplicity and low number of passwords they use.

Of particular concern to business is the finding that 60% of respondents admitted using only logins and passwords as their online security in their workplace.

In addition, despite a spate of high profile attacks, only 16% of respondents believe that cyber security had become more of a focus in the workplace since the WannaCry ransomware attacks in May 2017.

Furthermore, 76% of respondents admitted that they have never updated their security details following a big data breach.

But the problem of poor password practices is not confined to the UK, as illustrated by a report on cyber security failings at financial services firm Equifax.

Read more about password security

According to cyber security writer Brian Krebs, a week after Equifax revealed a data breach that exposed the personal details of 143 million US and 400,000 UK consumers, cyber security practices at the company’s Veraz business in Argentina were found to be poor.

Krebs reported that an online tool used by Veraz employees to manage credit report disputes could be accessed by typing “admin” as both a login and password, which he described as the “most easy-to-guess [login] password combination ever”.

Anyone using this combination could view the names, usernames, passwords and email addresses of more than 100 Equifax employees in Argentina, as well as add, modify or delete user accounts on the system.

Users of this simple login and password combination would also have had access to more than 14,000 records containing details of Argentinian consumers’ disputes, including their contact details and the local equivalent of social security numbers.

Read more about social engineering

Bradley Maule-ffinch, director of strategy for Cyber Security Europe, said a surprising number of people still seem unaware of the threat posed to their personal and business information by using their name or date of birth as their passwords.

“Nowadays, this is far from being just a personal issue. We have seen a spate of prolific attacks and breaches this year alone and businesses must ensure that employees are educated about the basics such as password security,” he said.

With the advent of the internet of things (IoT), Maule-ffinch said the increasing number of people using their personal devices to connect to business networks presents and ever-growing threat.

“This could prove a costly vulnerability for organisations after the compliance deadline for the EU General Data Protection Regulation [GDPR],” he said.  

Maule-ffinch said the risks of identity theft and social engineering will be examined by social engineering expert Jenny Radcliffe and identity protection advocate Bennett Aaron at Cyber Security Europe in October 2017.

Read more on Hackers and cybercrime prevention