Most hacked passwords revealed as UK Cyber Survey exposes gaps in online security

Brits have been urged to apply steps to stay safe online after results of the UK Cyber Survey exposed exploitable gaps in their personal security knowledge. The polling was independently carried out by Ipsos MORI on behalf of the National Cyber Security Centre (NCSC) – itself a part of GCHQ – and the Department for Digital, Culture, Media and Sport (DCMS). Released ahead of the NCSC’s CYBERUK 2019 Conference in Glasgow on 24-25 April, the findings will inform Government policy and the guidance offered to organisations and the public.

The Cyber Summit will see a range of sessions delivered by industry, academia and Government, including a Keynote speech by Cabinet Office Minister David Lidington.

Among the results of the survey – which have been published in full on www.ncsc.gov.uk and which involved over 2,500-plus respondents aged 16+, as well as businesses and charities who were surveyed from late November 2018 to January this year – are that:

*Only 15% of respondents say they know a great deal about how to protect themselves from harmful activity online

*The most regular concern is money being stolen, with 42% feeling it likely to happen by 2021

*89% use the Internet to make online purchases, with 39% doing so on a weekly basis

*One-in-three rely to some extent on friends and family for help on cyber security

*Young people are more likely to be privacy conscious and careful of what details they share online

*61% of Internet users check social media daily, but 21% report they never look at social media

*70% always use PINs and passwords for smart phones and tablets

*Less than half of respondents don’t always use a strong and separate password for their main e-mail account

The NCSC has also published a separate analysis of the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches. The results show a huge number of regularly used passwords that are breached to access sensitive information.

Password re-use “a major risk”

Dr Ian Levy, technical director at the NCSC, said: “We understand that cyber security can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make them much less vulnerable. Password re-use is a major risk that can be avoided. Nobody should protect sensitive data with something that can be guessed, like their first name, their local football team or their favourite band. Using hard-to-guess passwords is a strong first step and we recommend combining three random, but memorable words. Be creative and use words memorable to you so that criminals cannot guess your password.”

Margot James, the Government’s Digital and Creative Industries Minister, added: “Cyber security is a serious issue, but there are some simple actions everyone can take to better protect themselves against hackers. We shouldn’t make the criminals’ lives easy. Choosing a strong and separate password for e-mail accounts is a great practical step. Cyber breaches can cause huge financial and emotional heartache through the theft or loss of data. This is something which we should all endeavour to prevent.”

David Lidington, Chancellor of the Duchy of Lancaster and Minister for the Cabinet Office, observed: “Given the growing global threat from cyber attacks, these findings underline the importance of using strong passwords at home and at work. This is a message we look forward to building on at the CYBERUK Conference 2019. It’s an event that reaffirms our commitment to make Britain both the safest place in the world to be online and the best place in which to run a digital business.”

Awareness of the threat

The NCSC hopes to reduce the risk of further breaches by building awareness of how attackers use easy-to-guess passwords or those obtained from breaches and help guide developers and system administrators alike to protect their users.

The compromised passwords were obtained from global breaches that are already in the public domain having been sold or shared by hackers. The list was created after breached usernames and passwords were collected and published on Have I Been Pwned by international web security expert Troy Hunt. The website allows people to check if they have an account that has been compromised in a data breach.

Hunt explained: “Making good password choices is the single biggest control consumers have over their own personal security posture. We typically haven’t done a very good job of that, either as individuals or as the organisations asking us to register with them. Recognising the passwords that are most likely to result in a successful account takeover is an important first step in helping people to create a more secure online presence.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts