Troy Hunt: ‘Messy’ Password Problem Isn’t Getting Better

troy hunt infosecurity europe

Poor password hygiene continues to plague the security industry, Troy Hunt said during Infosecurity Europe.

LONDON, UK – The security world is facing a major issue that has led to widespread breaches, data exposure, and more – and it all stems from millions of insecure passwords used for everything from enterprise PCs to internet of things (IoT) devices.

Poor password hygiene – including reusing passwords or picking easy-to-guess passwords – is greatly exacerbating many of the major issues that plague the cybersecurity landscape, said Troy Hunt, creator of — Have I Been Pwned?, who spoke Thursday at the Infosecurity Europe conference.

Ultimately, “it all comes down to passwords,” said Hunt. “We see this over and over again with all sorts of security challenges that we come across.”

Passwords have been utilized starting in the 1960s, when the first password was used by MIT on a computer to authenticate a user by matching two strings in the system — one in the system, and one from the system user. Fast forward to today, and not much has changed in how passwords are used, said Hunt – and it’s causing a slew of problems.

The main issue behind insecure passwords stems from human nature, said Hunt. When asked to create passwords, people often seek out the path of least resistance, which leads to passwords that they’ll remember – but which are insecure. That may include a name of a pet or birthday, which could easily be found by malicious actors through a quick online search.

Furthermore, even with prompts that were introduced in the 1990s to strengthen passwords – such as requiring users to constantly change passwords, as well as include capital letters, numbers or characters –many still choose the path of least resistance (such as changing Passw0rd! to Passw0rd1!).

“We’re basing strength on math instead of human behavior,” said Hunt. “It’s human propensity to get around barriers.”

Another issue is that passwords are appearing left and right online as part of major data breaches – yet victims aren’t changing their passwords at all across various platforms. The Collection #1 data dump, which included 773 million credentials, and subsequent Collection #2-5 dumps, show exactly how many passwords are available – not just on the Dark Web, but being made publicly available on the internet via outlets such as Twitter.

“If we had no password resuse, this would be an easy fix… passwords are a messy problem,” said Hunt.

IoT devices are also insecure, often coming with default credentials– an issue that has impacted Huawei routers and Guardzilla devices.

These issues across the industry are also coming at a time when it is becoming even easier than ever for cybercriminals to sniff out credentials. The barrier for cybercrime is being lowered – particularly for the younger generation, which may have no moral compass to understand the rules of online behavior, said Hunt. That, coupled with scores of tutorial videos available online that offer lessons for how to launch attacks like SQL injection and more is tripling the risk that weak passwords poses.

Looking forward, passwords aren’t going anywhere, said Hunt — in fact, despite the many solutions being introduced by vendors claiming to “solve” the password issue, or even completely eliminate passwords, the number of passwords will continue to increase in the future.

“As bad security-wise that it is, everyone knows how to use passwords,” he said.

Ransomware is on the rise: Don’tmiss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Suggested articles

45 Million Medical Images Left Exposed Online

45 Million Medical Images Left Exposed Online

A six-month investigation by CybelAngel discovered unsecured sensitive patient data available for third parties to access for blackmail, fraud or other nefarious purposes.