As we approach the end of the year, cybersecurity outfits inevitably round up and share the
weakest passwords detected in the wild over the past 12 months. Some of these are obvious—12345678 is a
terrible password that keeps showing up—but a new security report highlights some surprising trends that call into question what actually makes for a good password.
The common assumption is that a longer password is more secure than a shorter one. And that's not necessarily wrong, but it's not always true, either. The folks at Specsops, a major password management and authentication solution vendor headquartered in Sweden, issued a report based on "proprietary surveys and data analysis of 800 million breached passwords, a subset of the more than 3 billion breached passwords within Specops Breached Password Protection list."
One thing the the data unveiled is that a whopping 93 percent of passwords used in brute force attacks include eight or more characters. It also discovered that 41 percent of passwords used in real brute force attacks were 12 characters or longer, which is the minimum length that many organizations require.
"Attackers
are well aware of the standards recommendations and
password requirements companies are using to fight
these attacks. This data shows that attackers have
adjusted their tactics to include longer passwords," the report states.
Here's a look at the top 10 passwords used in brute force attacks with at least 12 characters...
- ^_^$$wanniMaBl: 1433 vl
- almanlinux8svm
- dbname=template0
- shabixuege!@#
- @$$W0rd0123
- P@ssw0rd5tgb
- adminbigdata
- Pa$$w0rdp!@#
- adm1nistrator1
- administrator!@#$
While all 10 passwords are relatively long and complex, they're also compromised and variants of rudimentary passwords. Simply adding a mix of characters, symbols, uppercase letters, and lowercase letters is not good enough if the password itself is a play on a common word, such as "password" or "administrator," as the list indicates.
The report also took a deep dive in a brute-force wordlist known as "rockyou2021." According to the report, the dataset trended towards longer passwords, which Specsops says necessitates the enforcement of either harder-to-remember longer passwords to avoid collisions with the wordlist, or the use of passphrases.
Here's a breakdown of the complexity type of those passwords...
Source: Specops
"The above breakdown indicates that adding most of RockYou2021 to a breached password protection list is not
required, as sufficient complexity rules could protect against over 95 percent of the records. By simply requiring
upper, lower, numbers, and special characters, one would rule out a valid password being contained in the following
categories (comprising of 96.5 percent of our sample)," Specops says.
That's somewhat contradictory to the brute force guidance, but in this case, it really just means that adding a mix of characters and uppercase/lowercase letters means organizations can avoid using a password found in a leaked wordlist.
Another big no-no is to build a password around a theme or pattern, such as seasons, musicians, sports teams, movies, and TV shows. Hackers target pop culture themes when trying to crack a password, so for example "darthvader" and "Spiderman" are terrible passwords that top various lists. Even if making them more complex, as discussed earlier, it's still not enough. That's especially true if someone recycles a password for multiple sites.
"Making passwords complex creates passwords that are difficult for people to remember, and easy for hackers to
exploit. As long as people reuse passwords, making these more secure comes down to disallowing all known
compromised passwords," Specops says.
You can read the full
passwords report (PDF) for more interesting trends. We'll also add that, wherever possible, it's highly advised to enable two-factor authentication as an added layer of protection, especially in light of
LassPass confirming that hackers stole its password vault.