On the 14th of May Mr Stephen Orfei, General Manager at the PCI Security Standards Council presented to the United States House of Representatives Financial Services Committee Hearing.
You can watch edited highlights on video here:
And there are lots of reasons to do so, Mr Orfei spoke clearly and concisely and the messages hit home:
One comment stood out to me. In his opening remarks Mr Orfei said:
“The end game is to devalue [customer card] data so it’s useless in the hands of criminals. Simply put, if you don’t need it, don’t store it. If it’s needed, protect it and reduce the [opportunities] for criminals to steal it.”
“Our community of over 1000 of the world’s leading businesses tackle data security challenges from simple issues - for example the word password is still the most commonly used password - to more complex issues like encryption.”
It seems astonishing that in 2015, we’re not more aware of the importance of a secure password, particularly in business and point of sale environments. It’s a serious point and plays to the main thrust of Mr Orfei’s argument throughout his deposition:
“It’s a question of vigilance… the physical and logical security… It’s about moving away from compliance to a risk based approach.”
If many of us are still using ‘password’ then it’s clear, we’re not grasping the concept of data security.But what does it take to hit the statistics as a top 10 password? Are we really learning no lessons?
The statistics on most popular passwords are generated from data sets. By the very nature of the information this is not a comprehensive data set. Companies will not pass across all user’s passwords on their systems. So, passwords we do know about are often taken from publicly leaked passwords. And this skews what we’re looking at. By its very nature, data that has been stolen and then leaked was not the most secure data in the first place.
Actually, according to Mark Burnett, a Security Consultant who works on the most popular passwords list for SplashData, the number of times a particular password has to appear within the data to make it into the top 10 is decreasing year on year.
“In 2014, all it takes for a password to get on the top 1,000 list is to be used by just 0.0044% of all users.”
He adds that:
“In 2011 my analysis showed that 8.5% had the passwords ‘password’ or ‘123456’. In 2014 this number has gone down to less than 1%”
So, password may still be the second most used password in the world, within leaked data sets,however it does seem that we are starting to learn the lessons which Mr Orfei is trying to teach us: ‘password’ may still be in the top 10 but it’s getting there with far fewer instances. It’s a bit like the music charts – it’s just easier to get to number one these days and our tastes in passwords, as well as music, are starting to broaden.
For more information on the top password list and how its created see: