Are your employees using one of the 10 worst passwords in transportation?

A password is often the first, and many times the only, line of defense a trucking company's critical systems has from would-be hackers, making password selection critical. It can go one of two ways: pick something easy to remember or something difficult to guess. It's the equivalent of closing a front door or a screen door. 

According to research conducted by password manager NordPass, some of the biggest companies in transportation and logistics favor passwords that expose billions of dollars in lost productivity to internet pirates. While cybersecurity experts repeatedly urge businesses to take better care of corporate accounts, passwords such as “password” and “123456” still make it to the top of the list.

“On one hand, it is a paradox that the wealthiest companies on the planet with financial resources to invest in cybersecurity fall into the poor password trap," said NordPass CEO Jonas Karklys. On the other hand, it is only natural because internet users have deep-rooted unhealthy password habits. This research once again proves that we should all speed up in transitioning to alternative online authentication solutions."

Nearly one-third of all businesses’ passwords tracked by NordPass reference the company in some way; the company name, part of it, the email domain, or the company’s product. These passwords comprise over half of the transportation and logistics list.

Antwan Banks, director of enterprise security for the National Motor Freight Traffic Association (NMFTA), said through his involvement with penetration testing and vulnerability assessment, the top password variations he's observed include a company name + year using special charters, e.g. Nmft@2023 and company name + season using special charters, which allows users to meet internal 90-day change requirements, e.g. Nmft@W1nter.

Karklys called passwords of this type "both poor and dangerous to use," because when breaking into company accounts, hackers try all the password combinations referencing a company because they are aware of how common they are. "Employees often avoid creating complicated passwords, especially for shared accounts," he said. "Therefore, they end up choosing something as basic as the company’s name." 

Banks said he's also seen and advises against the use of seasons + year using special charters, e.g. W1nter2023 or $pring2023 and local sports teams with special charters, e.g. F@lcon$2023 or H@wk$2023 or Br@ve$2023.

10 most used passwords in the transportation and logistics

1. company name
2. password
3. 123456
4. company’s email domain.com
5. aaron431
6. company name01
7. company name123
8. xxxcompany name
9. Company name123
10. company’s email domain.com

Fleets share tips on password selection 

CCJ reached out to several fleets to inquire about best practices for its employees' password selection. For the sake of their corporate security, they provided tips and guidelines anonymously. 

  • passwords must contain 10 or more characters
  • cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters
  • contain characters from three of the following four categories (English uppercase characters (A through Z); English lowercase characters (a through z); numbers (0 through 9); special characters (!, $, #, %, etc))
  • passwords expire in 90 days
  • four unique passwords must be used before an old password can be re-used
  • encourage the use of pass-phrases as a password

"Our TMS system is on-premises, so to access the server there is two-step authentication and the password has to have a certain number of characters – alpha and numeric – at least one cap," said a fleet manager with a 40-plus truck carrier. "Passwords have to changed on a regular basis (two times a year) and old passwords cannot be reused. Once the user is on the company servers, then to access the TMS, the executable has to be loaded on the workstation. A password is required but there are no requirements for that password."

Passwords for the fleet's telematics system do not have any special requirements but drivers and users have to be provisioned on the account to get access.

"If the username and password are compromised there is not a financial risk or risk of access to company systems since it is an external system [with] tightly controlled links," the fleet manager said. "The drivers' logs could be compromised and the password could be changed but there is no personal information that would be compromised. The VIN of the truck would be compromised, so the risk is minimal."

Angel Coker is a senior editor of Commercial Carrier Journal, covering the technology, safety and business segments. In her free time, she enjoys hiking and kayaking, horseback riding, foraging for medicinal plants and napping. She also enjoys traveling to new places to try local food, beer and wine. Reach her at AngelCoker@randallreilly.com.

Jason Cannon has written about trucking and transportation for more than a decade and serves as Chief Editor of Commercial Carrier Journal. A Class A CDL holder, Jason is a graduate of the Porsche Sport Driving School, an honorary Duckmaster at The Peabody in Memphis, Tennessee, and a purple belt in Brazilian jiu jitsu. Reach him at jasoncannon@randallreilly.com.