Why you should steer users towards less predictable passwords
As users are instructed to create ever more complex passwords, and developers are starting to use encryption methods more difficult to crack than standard hashing functions, password crackers (and penetration testers) must wisely choose which type of password attack to try first, second, and so on.
“When cracking, it is important to try the most time effective attacks first and if unsuccessful, move on to slower password attacks that cover more key space,” says Julian Dunning, security engineer at Praetorian.
But, if one knows the general structure of passwords (types of characters and ordering), the feat becomes immeasurably easier.
By analyzing several big password dumps (nearly 35 million passwords in total), Dunning found that there more that 50% of the passwords were created by using one of 13 password structures.
“When users are asked to provide a password that contains an uppercase letter, over 90% of the time it is put as the first character. When asked to use a digit, most users will put two digits at the end of their password (graduation year perhaps). The next most popular choice is to end the password with four digits (likely the previous or current year). The next most popular in this case has one digit at the end, and after that three digits at the end,” he noted. “Commonalties in structure such as these allow attackers to predict what the structure of a user’s password will most likely be.”
This is something that developers should also keep in mind, and should consider implement controls that would point users away from those popular password structures.
Of course, the best thing would be for every user to use a password manager (that requires two-factor authentication) and let the program create completely random passwords and store them.
But, since most of them still don’t, using better encryption methods and implementing policies against password sharing and reuse are currently developers’ and companies’ IT security department’s best options to keep those passwords secure.