You’ve just signed up for a new online service and the account is prompting you to create a secure password that meets X, Y, and Z requirements. So you start to enter your password – perhaps it’s your favorite one or a close version of it. As you type the password, the account displays a ‘progress bar’ in red, orange or green – telling you whether your password is strong or weak.
How does it know? It knows because there is a vast amount of information available on what constitutes a strong password. There’s similar information on what makes a weak one. Unfortunately, if the good guys know this, so too do the bad ones.
We thought we’d take a look at some traditional password creation practices that you might want to avoid from now on.
Is Your Password Like a Fish in a Barrel?
You would hope that your password would be tough to crack, but research into hundreds of data breaches shows that in many cases, it is simply just that easy. The majority of passwords are easy for hackers to crack nowadays. There are many reasons, but there’s one big one — password fatigue.
How many logins do you have? The average business user has 191 passwords. That’s 191 services that require a username and password. Due to sheer volume, users tend to fall back on a few favorite password conventions — or even passwords — for all services. That’s a gift to hackers.
Let’s say you use a variant of the account’s name as a password. For example, you may choose MyF@ceb00k! for Facebook. Or maybe you use a combination of your family birth dates. Or perhaps RedSox2004 to commemorate the year your favorite team broke the curse of the Bambino.
You might think your password is pretty random, and might never be guessed—but you’d be wrong. Here are four types of password mistakes that a hacker is going to have a super easy time exploiting.
Mistake #1: Use a word or common character sequence
There are billions of passwords out in the wild. Literally billions. They were released onto the internet by data breaches, stored in unsecured S3 buckets, and accidentally stored in paste bins. There are passwords everywhere out there. They may no longer access anything, but that doesn’t mean they’re not useful.
An analysis of about 15 million passwords by WordPress showed that people frequently used common formulaic approaches in creating their passwords. Here are some typical password categories they found, together with the top 3 most frequent passwords in each category:
- Base phrase (word or sequence): password, qwerty, dragon
- Noun: master, football, killer
- Verb: welcome, enter, please
- Color: red, blue, black
- Animal: fish, bear, monkey
- Fruit: apple, orange, banana
- Superhero: batman, superman, ironman
- Day of the week: Friday, Monday, Sunday
- ‘I Love …’: iloveyou, iloveU, iloves*x
- ‘My …’: mylove, mypass, myself
They also found that given names (John, David, Mark) were frequently found in both usernames and the related passwords.
Notice that base phrases are not always dictionary words. Computer keyboard and smartphone patterns are also popular. A quick glance at your computer keyboard will demonstrate why sequences such as qwerty, asdfgdh, and qazwsx pop-up with regularity. And checking adgjmptw on your phone dial pad reveals that it’s the same as pressing the keys 1 through 8.
People are predictable in their choices of base phrases. A 2015 Global Security Report by Trustwave reported on common keywords they had found during penetration testing of over 440,000 corporate client user accounts. Nearly 10% of the passwords that they had cracked contained names found in the list of the Top 2,000 Baby Names, while nearly 5% contained the names of U.S. cities.
So, what’s wrong with that?
Given that hackers know these formulaic approaches, they can employ a dictionary attack — feeding word lists into tools like HashCat to crack a password. Using today’s high-powered graphical computing unit (GPU) chips, HashCat reportedly can easily make over a quarter of a million password guesses per second. Of course, these rates depend on the equipment used and the length of the password, but with a supercomputer, there can be hundreds of billions of guesses per second. At these speeds, it would not take long to cycle through a list of all 10 million or so of those leaked passwords.
Using knowledge of end-user demographics and password creation habits, hackers are able to focus their efforts on the most likely passwords—drastically reducing the amount of time it takes them to crack your password.
Mistake #2: Capitalize the first letter
In 2015, researchers at Carnegie Mellon University asked 49 study participants to create passwords for three separate online services — a news site, a bank, and an email service. You can read their findings in excruciating detail. Here’s what they found. When a letter was the first character of the password, people tended to capitalize it. Whether they realized or not, they were applying the rules of English grammar. That simple step has just made the hacker’s job easier by an order of magnitude.
So, what’s wrong with that?
The length of the password is important, but so is the range of characters used. For example, a five-character alphabetic password with just lower case letters has nearly 12 million possible combinations (26^5). Make it upper and lower case and it goes to over 380 million (52^5). If the hacker is pretty certain that the first character will be uppercase, then he or she has cut in half the maximum number of guesses they need to make in order to hack into your account.
Mistake #3: Add a number at the end
Carnegie Mellon researchers also noticed was that some subjects were likely to reuse strings of characters from one password to the next. They didn’t use the same password, but it was close. The study participants added a number to a base phrase in the belief that this would make it more secure.
Unfortunately, many people share this same mistaken belief. In the analysis of those 10 million leaked passwords, 420,000 of them ended with a number between 0 and 99. The number 1 was the most common, chosen by over 20% of the people. Other popular choices were 2, 3, 5, 7, and 12. Interestingly, the use of 3, 5, and 7 may support people’s natural bias towards prime numbers.
So, what’s wrong with that?
Appending a number might make a password a little stronger, but not against a smart hacker. You’re making it easier for them. For starters, hackers are expecting numbers to be there for some portion of the accounts. They also have a pretty good idea of what numbers you’re likely to choose. If hackers have access to additional personal information — like your date of birth or those of your kids — then they’ll fold those into their mix and try them as well.
If you’d like to see an example of a brute force — and then dictionary — attack on a PDF password, then check out the article Cracking My First Password. In this case, the ‘white hat’ hacker was the user’s father. He knew her social security number and date of birth. He also knew that the password was all numeric with a format of date of birth followed by the last 4 digits of the SS number — MMDDYYYY9999. He was able to crack the password and found that his daughter’s employer had her social security number wrong.
Mistake #4: Throw in a “special character”
Another user password habit is to use special characters in the password. Special characters are a great way to strengthen a password. Just keep them out of common positions. For instance, many people will simply throw a special character at the end of a favorite password base — like turning NYGiants into NYGiants$.
A further step is a trick known as ‘munging’. That’s where you substitute a special character for similarly shaped characters. With munging, you turn the word “Crackable” into “Cr@ck@b13”.
So, what’s wrong with that?
Again, these approaches are not necessarily bad. The use of special characters can increase the complexity and security of a password, but if the underlying base is a dictionary word, then the password is toast. For example, in the WordPress study we mentioned earlier, the password s3ash311 (a munged version of seashell) was cracked in 2.5 seconds.
A Safer Way
Keeping your information and identity secure is an ongoing and constant battle. As a user, you can do your bit, by creating and regularly changing your set of passwords. The bad guys are armed with leading-edge technology and techniques and they will exploit any weakness (and user laziness) in a bid to narrow the number of password guesses they need to try in their attack.
In general, the longer your password, the more difficult it will be to crack. But long passwords—such as Likelihood4 or Deliberation9—will not be of much use, since they are slight variants of standard dictionary words. So try to think of a phrase or string of words as your password base. Stay away from family names or birthdays, local sports teams, popular songs, movies, or TV shows, and the like. Don’t use anything that a hacker might infer from knowing who are, where you live, which schools you go to, or your employer. Be unpredictable and cryptic. Then you can add numbers and/or ‘munge’ to add complexity.
It’s frequently said that the weakest component in any security system is the human. If you’re a system or network administrator, then you know that getting your users to follow security best practices is a major headache. Training can help. You could start by requiring users to take CBT Nuggets’ Workforce Security Awareness training.
For personal or business use, if fragile passwords are an issue, then you might consider implementing a password manager. These can generate, store and manage complex, random, and — hopefully — unbreakable passwords for all accounts.
For the protection of your business systems and cloud services, look at multi-factor authentication capabilities to verify each user’s identity by using their password combined with other factors, such as email confirmation, or secure key code.
Typically, CBT Nuggets courses cover passwords, identity, and authentication as related to a particular technology or cloud service. Examples include:
Whatever technology you’re working on, be sure to check CBT Nuggets training.