Cyber Security

Luke Hally

About passwords

July 24, 2021
Categories:
Tags:

How do people treat passwords?

The Avast report about Americans and passwords makes for disturbing reading. https://press.avast.com/83-of-americans-are-using-weak-passwords 

Many Americans use personal information such as partner’s names or birthdays in their password, this makes them vulnerable to social engineering or backgrounding. 81-83% are failing to create strong passwords and 53% reuse passwords, despite 88% knowing that it is a risky practice.  This makes them vulnerable to social engineering or OSINT (open source intelligence) recon.

What about responding to news of password hacks? Less than half (42%) checked to see if their email or password was in a known breach. After learning of a breach, only 23% have changed their passwords. When it comes to changing or updating passwords:

  • 18% have never changed their passwords
  • 21% change passwords once a year
  • 19% change passwords every six months
  • 20% change their passwords every three months or less

What passwords do people pick?

I found a few of the approaches interesting.

  1. easy to remember words and numbers (this often involves just adding a number on the end)
  2. ‘Keyboard walks’ common patterns such as qwerty or qaz2wsx.
  3. Common fruits, animals, superheroes and peoples names
  4. Phrases beginning with  ‘love’ or ‘my’]

Common words

Common numbers

Password attacks

The most common forms of password attacks are:

  1. Brute force attack – trying every combination until the password is found
  2. Dictionary attack – combining common words to try as passwords
  3. Rainbow table attack – contains the hashes of common passwords for a reverse lookup. Attackers use these when hashed passwords have been stolen, it renders encryption worthless.
  4. Credential stuffing – once a person’s credentials have been discovered for one site, they are ‘stuffed’ into as many sites as possible to hack these accounts as well.
  5. Password spraying – this involves using the most common passwords from a leak and spraying them at multiple users and sites. It’s going for the low hanging fruit.
  6. Phishing – tricking people to click a link and log into a fake site.
  7. Keylogger attack – listening to content entry.

Reflection

It’s easy to tut tut at bad passwords, but apart from using complex passwords, I’m about as guilty as the average American. I need to become more proactive with password maintenance.

When building passphrase, don’t fall victim to the brute force number. If your phrase falls into common patterns  it will end up in the pruned tree of potential for the bad guy. So instead of adding symbols and numbers on the end, incorporate them in the phrase. 

Outside of Phishing or keylogger attacks, the other attacks are all made easier with common/easy to break passwords. Passwords need to be strong, but we should also activate 2FA/MFA where available.

I’ve decided to start using a password manager and I recommend you do to. Read about the steps I took to improve my password security here.

Recent posts

© Copyright 2021, Luke Hally