Will We Ever Learn To Use Better Passwords?

From the other side of the pond, London-based Credit Card Payment Company, Dojo, did an analysis of 100,000 breached passwords and discovered that the most commonly hacked passwords were ‘qwerty’, ‘123456’, ‘password’, and ‘1111111’. Also on that list are terms of endearment like ‘love’, ‘baby’, and ‘angel’.

In a world where two-factor authentication is the standard, we still have people using these insanely easy-to-guess passwords.

The National Counterintelligence and Security Center (NCSC) reported that the most commonly hacked passwords that they have observed are  ‘123456’, ‘123456789’, ‘qwerty’, ‘password’, and ‘1111111’, which holds true to the report that Dojo released. What I find amazing is that ‘123456’ was found to be compromised 23.2 million different times (different users). That is just shocking.

This means that the average user just doesn’t understand how easy it is for a hacker to gain access and what they can do when they gain access.

So let’s step through the process a hacker will use to gain access to a computer system.

(Let’s assume that the hacker does not know anything about you)

1. They will first attempt what is known as a dictionary attack. This is an automated brute-force type attack, where the hacker’s computer system will use a list of common passwords (dictionary) and try them on the computer. Usually, they are ordered in the order of most commonly used, so you can bet that ‘qwerty’ and ‘password’ are very high on the list.

This type of attack can be stopped by setting up a number of failed attempts. In Windows, this can be set via group policy or the registry. Basically, it works by stopping input after a preset number of failures. If you have it set to 3, then the user gets three attempts to enter their password, before it is locked or paused. On the fourth attempt, the user will be denied access until either the account is unlocked or a timer threshold is met (most often 30 seconds or 5 minutes). This will severely cripple a dictionary attack. I have found that five attempts and locked for 30 minutes work best. Most users can manage to get it right in five attempts. If not they have to wait 30 minutes for it to allow access again.

2. If the dictionary attack fails, they can use one of two options. One is a password cracker (another brute-force attack), which has really become ultra-fast with the increased horsepower in modern graphics cards. In 2011, available commercial products claimed the ability to test up to 2,800,000,000 passwords a second on a standard desktop computer using a high-end graphics processor. (source – Wikipedia). Keep in mind that they are limited by bandwidth as most likely this is a remote hack. Again this type of attack can be stopped by using the same steps outlined above.

Some hackers will resort to social engineering to help them gain access. This is where they check out your social media and online accounts in the hopes that your password is your kid’s name or maybe your dog’s name. If sitting at your keyboard, chances are your password is related to something they can visually see. Most people will choose a password that is easily remembered, and something around them is what triggers that memory.

So the longer and more complex the password the harder it is to crack, using the above methods. But that also means that it is easier to forget a simple password.

Most modern studies find that a passphrase is the best type of password. Something like “On Wednesdays, I get coffee at Dunkin’ Donuts!12” This type of password is easy to remember, easy to type and meets the most common requirements of 2 upper characters, 2 lower characters, 2 numbers, and 2 special characters. Plus you don’t need to write it down.

Passwords with a combination of characters, numbers, and symbols are less likely to be hacked as they are harder to guess.

At work, I have on more than one occasion, during security pre-inspections, lifted up the keyboard, mouse pads, and phones and found sticky notes with passwords on them. Twice I have even found them taped to the back side of the monitors.

According to NCSC, the most common hacked password categories are:

1. Pet names/terms of endearment
2. Names
3. Animals
4. Emotions
5. Food
6. Colors
7. Swear words
8. Actions
9. Family members
10. Car brands
11. Cities
12. Brands
13. Countries
14. Sports
15. Religions
16. Hobbies
17. Weather
18. Drinks
19. Social media platforms
20. Star signs

So put a little thought into your next password, don’t write it down, change it often, and try to keep it off the lists.

If you have a difficult time remembering all your passwords (known as Password Fatigue), try a password manager. I prefer LastPass. It remembers all my passwords for me, it is available on my PC and my phone, and I only need to remember one password to gain access. It couldn’t be any easier.

Come on, we can do better, can’t we?