What password would you use for a bank account soon to be worth $120 million?
For James Bond, the answer was simply his coworker’s name, with no two-factor authentication. In the 2006 remake Casino Royale, Bond chooses the alphanumeric form of his government colleague, Vesper, to type in the keypad (the entry comes out to “837737”). With all the Bond plotlines that revolve around cybersecurity and hackers, letting an entire room full of criminals watch you create a six digit PIN code for a nine-figure bank account seems especially lazy.
Contrast Casino Royale’s weak password plot line with another remake, 2015’s Mad Max: when Furiosa gives Max the combination to the secret kill switch of her post-apocalyptic semi truck, the War Rig, it’s clear she isn’t messing around with her codes. The password sequence of hidden switches she uses to start the vehicle (“one, one-two, one, red, black, go”) looks potentially more complicated than the keycode to Bond’s $120 million account - and has the added bonus of not being an easy-to-guess friend’s name.
There’s a reason we’re still talking about bad passwords: despite investment in cybersecurity solutions that may exceed $1 trillion in the coming years, enterprises are plagued by extremely weak, shared and compromised passwords. Last month, we released research finding that nearly one in three organizations had exposed passwords in Active Directory Group Policy Preferences, opening them up for compromise through the ability of hackers to laterally move across the enterprise network. Weak passwords are similarly rampant: Preempt has created a dictionary of more than 10 million of the most common passwords, and this dictionary was previously able to crack 35 percent of breached LinkedIn passwords. (To test your organization’s password strength, try our free-to-use Preempt Inspector App.)
Our research finds that the majority of organizations (72 percent) have stealthy admins, essentially normal users who may have privileges that they shouldn’t. Combined with the fact that some of these stealthy admins may also have weak or exposed passwords, the status quo is, to say the least, concerning. Strong passwords are one of the most straightforward ways to protect against malicious activity and targeted attacks. Consider that the health records of Singapore’s Prime Minister, along with 1.5 million other sensitive records, were compromised due to a local administrator using the password “P@ssw0rd.” In 2017, researchers found Equifax had used the password “admin” to protect sensitive data (though this revelation was surprisingly unrelated to the monster breach that affected more than 140 million Americans).
Given the widespread issue of weak passwords, how is popular culture setting an example for the rest of us? Well, let’s take a look at the Good, the Bad, and the Ugly.
In Ocean’s Thirteen, the gang uses compromised slot machines as part of a complicated plot to bankrupt a casino run by their rival. How would you activate the hacked slot machine to get a jackpot? It wouldn’t be easy for a casual player to figure out: “Coin, three count. Coin, six count. Three coins, five count. Two coins, half count.” And that’s just the first of three sequences.
“It’s an older code, but it checks out.” In Star Wars: Return of the Jedi, the Death Star allows Luke, Han Solo, and their crew of rebels to land on the moon Endor after they give a dated password. There’s not enough detail on the password itself to offer a detailed analysis, but given how this worked out for the fate of the Death Star, we’ll rank the code as bad - and outdated.
“Swordfish.” Somehow, this kind of password has been used for nearly 90 years in movies, games, and TV shows ranging from Scooby Doo to the Matrix video game. In 2001, the movie Swordfish uses the word “swordfish” as the name of a secretive government program AND the password itself.
TV shows, movies, and video games seem to take a lot of heat (fairly or not) for contributing to a mixed bag of societal problems. When setting your passwords, make sure to take your cues from movies like Ocean’s Thirteen’s Livingston Dell and Mad Max’s Furiosa - rather than examples like James Bond using his coworker’s name as the only password for $120 million in gambling winnings. Kanye’s infamous “000000” iPhone password, typed in full view of White House press cameras, comes to mind.Concerned about your organization being vulnerable due to exposed passwords? Try our free-to-download Preempt Inspector App. Not only can you check your organization’s password policies and uncover weak and shared passwords, it will also find stealthy administrators and other factors in order to decrease your company’s risk of a credential compromise.