Research reveals why we swipe right when chossing passwords, but should be swiping left
There has, it must be said, been one heck of a lot of password usage research over the years. The world’s top 100 worst passwords ranked, which saw 12345 topping the list but outliers such as zinch and g_czechout making the top ten, for example. Or how about the 32 passwords you definitely shouldn’t use unless you want to get hacked, that featured a largely numerical top ten with only 1qaz2wsx bucking that trend? These lists are more helpful than you might imagine, not least as they help spread awareness of the dangers of using common credentials, which can be cracked quicker than you can say “holy hackers, Batman.” The latest research to cross my virtual desk involved an analysis of a randomized data set consisting of more than 1 billion credential combos from dark web sources. So far, so run of the mill. However, rather than just list the most used passwords, this research dug a little deeper. What it found was that far too many people effectively swipe right when selecting their passwords when, in fact, they should be swiping left for a more secure login relationship.
The danger of passwords we are most attracted to
Kevin Lancaster, CEO and co-founder of dark web intelligence specialists, ID Agent, said that instead of just presenting a top ten list of compromised passwords, “we wanted to take a closer look at user behavior when creating passwords and how those behaviors lead to predictability and potential exploits.”
Starting with the realization that passwords are instinctively an emotive and personal choice, at least for the “normal” human beings that exist outside of the infosecurity industry bubble, the ID Agent analysis found that most people choose an extension of themselves. Further analysis determined that there were 24 common password types to match these personality extensions.
Perhaps unsurprisingly, the most common by far was a simple name. What better to choose for a password than the name of someone you love, after all? What worse, more like. Some 36.9% of the 1 billion passwords analyzed from the previous 12 months were names. The most common name for a password was George. Yet, based upon seven years of studying Dark Web forum postings, password dumps, and information extracted from data breaches, names are not the only thing that we find ourselves swiping right for when it comes to the passwords we use.
Dictionary words that hold some relevance to the user came in second on 16.9% occurrence, followed by ‘key walking’ where an easy to remember keystroke pattern is used (such as qwerty12345) on 8.7%. Things get a lot more personal after that, with such things as sports teams, animals, places, food and fictional characters riding high in the research.
Why swiping right is a big password security problem
The common security denominator here is that all these things are relatively easy to break. Be that by a dictionary attack containing, erm, words found in the dictionary, or the brute force approach employing non-dictionary variations using every possible alpha-numeric combination. I could get into the technical side of hacking, by bringing rainbow tables (lists of pre-computed hashes) into the equation, but why bother when those emotional pulls mean password choice can often be uncovered through OSINT? Open-source intelligence (OSINT) is, literally very simply, data that can be collected from publicly available sources such as social media postings. You know, all the kinds of places where we bare our emotional ties, where names such as George will be mentioned if George is important to us.
Start swiping left and leave poor password relationships behind
Swiping right, using something with an emotional attachment for your password, must stop if you value your data security. Instead, you need to start swiping left when those personality extensions spring to mind.
The reason that people make these bad choices is that they are instinctive, which equates to being easy to remember. The danger of using something easy to remember, so quite likely easy to guess as well, as a password is amplified when people reuse it across multiple sites and services. I’m not going to travel down the much-traveled path of secure password construction; there’s more than enough information out there on the interwebs. This guide to creating strong passwords is as good as any I’ve found. You’ll need to read that because you will need just one strong password to secure everything. If that sounds a little at odds with what I’ve been saying, it isn’t. The simple and secure way to get password creation, storage, and usage right is to swipe left and use a password manager. If you have that one strong password that is used to open your encrypted password manager vault, then you never need to worry about remembering any other. Let the program itself create your passwords in a truly random and complex way; passwords you would never remember, and which are incredibly difficult for others to guess or crack. Passwords such as “cngeGr$aY5UowD#Ajy%p0&fNm” or “cgjh$aqZ8$NyDX$20kXeg&vhY” for example.
Before you investigate your password manager options, and 1Password, LastPass, Dashlane, KeePass and Bitwarden are good starting points, there is one password resource that you should definitely swipe right for a hot date: the Have I Been Pwned searchable data breach database. This will let you discover if your existing credentials have been found in any of the breaches that are indexed by the database.