Weak Passwords

Recent studies show that easily guessed passwords are still in frequent use and that these passwords are not as obvious as they might appear.

NordPass data from 2019 to 2022 unsurprisingly reveals the top 2 passwords as ‘password’ and ‘123456’.  A combined instance of over 6 million records from 2022. This is from a list comprising a ‘4.3TB database extracted from various publicly available sources, including those on the dark web’.  The data has been categorised by country of origin and purpose (for example eCommerce or social media).  Obviously the report does not detail exactly where these passwords have been used.  An unknown proportion could be linked to throwaway accounts that might be created to access some service such as a shopping cart that is never checked out or a one-time download but will never be visited again.  Any such practice should never be combined with anything but equally throwaway or invalid emails or account names as a valid working email has real value to the hacker or spammer.

The 2022 SpecOps weak password report  identifies the worrying trend in the exploitation of unusual but still frequently used passwords.  There is a trade in lists of known passwords and the hacker will use these as a dictionary attack on user accounts.  One such list, RockYou2021 contained roughly 8.5 x 109 records.  Going through such a list is still more efficient than brute force guessing a password.  For example an alphanumeric password of length 6 would choose 6 elements from 52 (capital and lowercase) letters and 10 numbers (0-9).  That would be 62^6 or 56,800,235,584 combinations (roughly 5.6 x 1010); nearly 10 times as slow as the dictionary.  Adding special characters and making the required length longer further reduces the chance of a brute force attack succeeding.  Indeed if the hacker assumes that a password must contain special characters or a mix of capital and lower case then their word list can be cut back.  There is no gain here by including ‘password’ but ‘Pa55word’ has at least some chance of working.  Another ‘trick’ linked to password lists is not to attack a single account with a long list of possible words but instead to target a great many accounts with a small number of likely passwords and hence avoid lockouts or the possibility of the attacks being detected and blocked.

The uncommon but often used passwords fall into 2 categories.  Those related to some popular theme and those that appear random but are somehow linked to keyboard characters that are easy to access.  Seasons of the year, popular sports teams, films and music artists were all commonly found on breached password lists. For example the password ‘Cincinnati Reds’ appeared almost 150,000 times.  This sort of information would be more use to the hacker if they knew where the related account was based.  Other popular choices included figures from cultures that might be seen as connected to someone with an interest in computers.  These included Star Wars, Marvel and DC themes.

Of the less predictable passwords the following are the top 10 used in real attacks on passwords of 12 characters or more:

  • ^_^$$wanniMaBI:: 1433 vl
  • almalinux8svm
  • dbname=template0
  • shabixuege!@#
  • P@$$W0rd0123
  • P@ssw0rd5tgb
  • adminbigdata
  • Pa$$w0rdp!@#
  • adm1nistrator1
  • administrator!@#$

Any user should avoid using the same password or pattern of password amongst many accounts as a breach of a ‘relatively harmless’ account may yield a user name password combination key to valuable data.  Tracking the appearance of user name and password combinations will also give the hacker insights into the online presence of their user that might be used for more sophisticated attacks.  It could even be useful if the password itself is hashed because if the same hash algorithm has been used then the activity of that user is still traceable.  A password manager will reduce the need of many users to remember all these combinations although these will be less useful in situations such as the administration of IoT devices.

More from Security

30/09/2024

The SPAM Bomb

The symptoms of a SPAM, email or subscription bomb attack are almost impossible to miss.  The victim will suddenly receive a very large volume …

Read post

23/09/2024

OFCOM vs Scam Callers

OFCOM is the UK regulator of phone and Internet services.  They are responsible for ensuring these services are safe and effective.  Part of their …

Read post

03/09/2024

Google and Facebook Single Sign On (SSO)

Single Sign On (SSO) options are commonly seen through providers such as Google, Facebook and to a lesser extent Apple.  There are also less …

Read post

13/08/2024

Ransomware in Healthcare

The ThreatLabz 2024 Ransomware Report highlights the relative susceptibility of the healthcare industry to ransomware attacks.  312 attacks on the Healthcare industry were reported …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories