Getty Images/iStockphoto

NCSC urges better online security practices

UK cyber security agency is urging citizens to improve online safety and password security after research reveals most-hacked passwords and a survey exposes gaps in online security

The UK government is calling on citizens to take steps to stay safe online after the first UK Cyber Survey revealed exploitable gaps in personal security knowledge and poor online habits.

Only 15% of more than 2,500 people polled said they know a great deal about how to protect themselves from harmful activity and 30% said they have little or no knowledge, despite 61% checking social media daily and 89% using the internet to make online purchases, with 39% doing so every week.  

The most common concern is money being stolen, with 51% of respondents saying they think about this a lot and 42% feeling it is likely to happen by 2021, according to the independent survey by Ipsos MORI commissioned by the National Cyber Security Centre (NCSC), a part of GCHQ, and the Department for Digital, Media and Sport (DCMS).

Just over 60% said they are worried about becoming a victim of cyber crime, and 12% said they feared having information stolen and a ransom demanded. Just over half (51%) felt that apps being accessed without consent would have a big personal impact, and 91% felt having money stolen without reimbursement would have a big impact.

Other top online concerns are protecting personal privacy (51%), protecting friends and family (38%), avoiding embarrassment (23%) and losing photos (19%).

The survey showed that one-third of respondents rely to some extent on friends and family for help on cyber security, with younger users more likely to be privacy conscious and careful of what details they share online.

Almost one-third (30%) do not always use passcodes and passwords for smartphones and tablets, and 45% do not always use a strong, separate password for their main email account, with 10% saying they never do.

A worrying 91% admitted that they use the same password across two or more online accounts, 93% share passwords, 92% do not change passwords regularly, 98% do not use two-factor or multifactor authentication, 98% do not use a password manager, and 97% write down passwords.

Only 3% said they back up their data, just 2% said they install the latest software and app updates, and only 5% use antivirus software.

The findings, released ahead of the NCSC’s CyberUK 2019 conference in Glasgow, will inform government policy and the guidance offered to organisations and the public.

This year’s cyber summit, which will focus on cyber threats directed at individuals rather than companies or organisations and ways of improving personal cyber security, will see a range of sessions delivered by industry, academia and government.

Alongside the UK Cyber Survey, the CSC has published separate analysis of the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches.

The results show a huge number of regularly used passwords breached to access sensitive information. The most used is “123456”, of which 23.2 million instances were found, followed by “123456789” (7.7. million), “qwerty” (3.8 million) and “password” (3.6 million).

The most popular password types are names, with “Ashley” topping the list in this category with 423,276 instances; Premier League football teams, with “Liverpool” being most used (280,723); musicians, with “blink182” most used (285,706); and fictional characters, with “Superman” being the most popular (333,139).

NCSC technical director Ian Levy said: “We understand that cyber security can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable.

“Password re-use is a major risk that can be avoided. Nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band.

“Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.”

Digital minister Margot James said: “Cyber security is a serious issue, but there are some simple actions everyone can take to better protect against hackers.

“We shouldn’t make their lives easy, so choosing a strong and separate password for your email account is a great practical step.

“Cyber breaches can cause huge financial and emotional heartache through theft or loss of data, which we should all endeavour to prevent.”

Read more about 2FA

David Lidington, minister for the Cabinet Office, said: “Given the growing global threat from cyber attacks, these findings underline the importance of using strong passwords at home and at work. 

“This is a message we look forward to building on at CyberUK 2019, an event that reaffirms our commitment to make Britain both the safest place in the world to be online and the best place to run a digital business.”

The compromised passwords used in the newly published analysis were obtained from global breaches that are already in the public domain, having been sold or shared by hackers.

The list was created after breached usernames and passwords were collected and published on Have I Been Pwned by international web security expert Troy Hunt. The website allows people to check whether they have an account that has been compromised in a data breach.

“Making good password choices is the single biggest control that consumers have over their own personal security posture,” said Hunt.

“We typically haven’t done a very good job of that either, as individuals or as the organisations asking us to register with them.

“Recognising the passwords that are most likely to result in a successful account takeover is an important first step in helping people create a more secure online presence.”

The NCSC said it aims to reduce the risk of further breaches by building awareness of how attackers use easy-to-guess passwords, or those obtained from breaches, to help guide developers and system administrators to protect their users.

The government has also published guidelines on how internet uses can improve personal safety online as part of its Cyber Aware campaign.

Read more on Privacy and data protection