Dashlane, the cross-platform password manager app vendor, unveils yet more password failure from users.
It seems that lazy users use a technique called password walking which uses adjacent characters on the keyboard. When they are not doing this, profanities, favourite brands, cars, music, movies and sports clubs are also regularly used.
All of this makes it easy for hackers to get into users accounts. Many hackers download reports showing the most used passwords and import them into a dictionary. They can also monitor a users social media to identify what the user likes. Combining the two into a single attack gives them a good chance of cracking a users password.
According to Emmanuel Schalit, CEO at Dashlane: “When striving to create the very best solutions, it is vital to understand the problems faced. The data obtained and analysed by the Virginia Tech researchers is evidence of rampant password reuse, and Dashlane’s examination of this research sheds new light on typical patterns and habits.”
How did Dashlane find the passwords?
Dashlane worked with Dr Gang Wang, an Assistant Professor in the Department of Computer Science at Virginia Tech. Wang heads up a project, described as “the first large-scale empirical analysis of password reuse and modification patterns…”. This has resulted in a landmark research paper: “The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services” (no registration required).
The paper above makes for interesting reading for security teams. With data from 107 services and taken across an eight year time period, it showed the scale of password reuse. This includes the reuse of passwords already lost in breaches of other services. Users, it seems, take little note of the risk of reusing their passwords.
The key statement from the paper is: “We show that more than 16 million password pairs (including 30% of the modified passwords) can be cracked within just 10 guesses.”
As part of the work Wang’s team was undertaking, they gave Dashlane 61.5 million anonymized passwords from the project. This allowed Dashlane to do their own research into patterns and commonly used words. Dashlane researchers then examined the data for patterns showing how people were choosing passwords. What they discovered were a number of obvious patterns across the keyboard.
What patterns and passwords did they discover?
Dashlane researchers discovered that password walking was commonplace. This is the process of using adjacent letters and numbers on the keyboard such as “123456” and “QWERTY”. In addition to these, the researchers discovered a number of other such passwords. The vast majority of these are combinations of the top two rows of keys and the two left columns.
The use of favourite brands, films, music and sports teams was also quickly spotted. In addition, users fed up with having to change their passwords resorted to profanities. Some of the common passwords that Dashlane found are:
The use of application names such as Myspace and LinkedIn will surprise many, especially as Facebook doesn’t feature. The last five show the power of Champions League football over any other sport.
How can users create better passwords?
Dashlane lists six things that users can do to create better passwords. They are:
- Use a unique password for every online account
- Generate passwords that exceed the minimum of 8 characters
- Create passwords with a mix of case-sensitive letters, numbers, and special symbols
- Avoid using passwords that contain common phrases, slang, places, or names
- Use a password manager to help generate, store, and manage your passwords
- Never use an unsecured Wi-Fi connection
The last item on this list is something that few people do. Despite the security risk, the lure of free Wi-Fi in a café or public place is something people cannot resist. Few use VPNs or other technologies to protect themselves. This means that their Internet traffic, including logons to sites, can be intercepted.
What does this mean
Once again lazy password practices are exposed. Like many other analyses of large sets of password data, password walking and well known brands and names dominate. No matter how much is written on the subject, it seems changing user behaviour is impossible. For those who do use complex passwords and avoid reuse, passwords are still seen as having a place in security.
One solution is to use password managers such as those sold by Dashlane and its competitors. Another is to eliminate passwords completely. This sounds good but is impracticable for large numbers of organisations and websites. In the UK, over 99% of businesses are classified as having <250 workers. Employing someone to move their users and customers to multi-factor authentication (MFA) is expensive.
Irrespective of what options are available to replace passwords, they are not going anywhere soon. Organisations need to do more to educate users and, where possible, prevent them from password walking and reusing older passwords.