We all ought to know by now that passwords that are easy to guess will get guessed.
We recently reminded ourselves of that by guessing, by hand, 17 of the top 20 passwords in the Have I Been Pwned (HIBP) Pwned Passwords database in under two minutes.
We tried the 10 all-digit sequences 1
, 12
, 123
and so on up to 1234567890
, and eight of them were in the top 20.
Then we tried other obvious digit combos such as 000000
, 111111
and 123123
(we started with six digits because that’s Apple’s current minimum length, and because we noted that 123456
came out well ahead of 12345
and 1234
).
The others were equally easy: qwerty
, password
, abc123
, password1
, iloveyou
and qwertyuiop
, the last being a useful reminder that length alone counts for very little.
Rank Password SHA-1 Hash Appearances ---- ---------- ---------------------------------------- ----------- 1: 123456 7C4A8D09CA3762AF61E59520943DC26494F8941B 24,230,577 2: 123456789 F7C3BC1D808E04732ADF679965CCC34CA7AE3441 8,012,567 3: qwerty B1B3773A05C0ED0176787A4F1574FF0075F7521E 3,993,346 4: password 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8 3,861,493 5: 111111 3D4F2BF07DC1BE38B20CD6E46949A1071F9D0E3D 3,184,337 6: 12345678 7C222FB2927D828AF22F592134E8932480637C0D 3,026,692 7: abc123 6367C48DD193D56EA7B0BAAD25B19455E529F5EE 2,897,638 8: 1234567 20EABE5D64B0E216796E834F52D61FD0B70332FC 2,562,301 9: 12345 8CB2237D0679CA88DB6464EAC60DA96345513964 2,493,390 10: password1 E38AD214943DAAD1D64C102FAEC29DE4AFE9DA3D 2,427,158 11: 1234567890 01B307ACBA4F54F55AAFC33BB06BBBF6CA803E9A 2,293,209 12: 123123 601F1889667EFAEBB33B8C12572835DA3F027F78 2,279,322 13: 000000 C984AED014AEC7623A54F0591DA07A85FD4B762D 1,992,207 14: iloveyou EE8D8728F435FD550F83852AABAB5234CE1DA528 1,655,692 15: 1234 7110EDA4D09E062AA5E4A390B0A572AC0D2C0220 1,371,079 16: - - - - - B80A9AED8AF17118E51D4D0C2D7872AE26E2109E 1,205,102 17: qwertyuiop B0399D2029F64D445BD131FFAA399A42D2F8E7DC 1,117,379 18: 123 40BD001563085FC35165329EA1FF5C5ECBDBBEEF 1,078,184 19: - - - - - AB87D24BDC7452E55738DEB5F868E1F16DEA5ACE 1,000,081 20: - - - - - AF8978B1797B72ACFFF9595A5A2A373EC3D9106D 994,142
We did get the other three passwords later on after a bit more work.
One was the obvious pattern 1q2w3e4r5t
– we originally gave up trying at 1q2w3e4r
, but should clearly have thought to go further, given that two other 10-character keyboard patterns had already showed up in our list.
And we should have thought to try the Chinese zodiac, which would have revealed the 6-letter passwords monkey
and dragon
, which finished off the list at #19 and #20 respectively. (Thanks to the Naked Security readers who wrote in to tell us!)
As you can see above, these passwords didn’t just show up once each in the many public password dumps that were found and processed by HIBP, but literally millions of times, with 123456
at the top with more than 24 million appearances, and dragon
at the bottom with 994,142.
So we need to choose better passwords, and while 99pass!!word45
is probably just about safe enough (but don’t use it – you can easily do better!), a really long-and-strong string such as yjCMth15SU,atTWT?
is the sort of password you ought to be aiming at.
If you’re wondering, that’s a mnemonic password that you can recall with the phrase “You just can’t make this stuff up, ain’t that the whole truth?”.
Strong enough for everything?
The problem is that some of us still seem to think that once we have memorised a truly long-and-strong password, we’ve basically solved the password problem.
Simply put, there’s still a school of thought that goes like this:
- The password
password1
is a bad idea. It’s always bad, so you shouldn’t use it anywhere. - The password
99pass!!word45
is safe enough, as long as you only ever use it on one site. - But
huEX+IDszSSMcBjMw/S9kA
is SUCH A GOOD PASSWORD that you might as well use it everywhere, because no one will ever figure it out.
Until they do figure it out, of course.
As we explained earlier this week, cybercrooks often obtain passwords without needing to guess them or crack them algorithmically, for example:
- If a sloppy internet service stores your password in plaintext and then gets breached, the crooks acquire your actual password directly, regardless of how complex it is.
- Keylogging malware on your computer can capture your passwords as you type, thus obtaining them “at source”, no matter how long or weird they might be.
- Memory-scraping malware on hacked servers can sniff out raw passwords while they are being checked, even if the password itself never gets saved to disk.
Enter credential stuffing
Password re-use is why cybercriminals use a trick called credential stuffing to try to turn a hack that worked on one account into a hack that will work on another.
After all, if they know that one of your accounts was protected by yjCMth15SU,atTWT?
, it costs almost nothing in time or effort to see if any of your other accounts use the same password, or one that’s obviously related to it, giving the crooks a two-for-the-price-of-one attack.
(By “obviously related” we mean that if the crooks acquire a password list that shows your Facebook password was yjCMth15SU-FB
, they’ll probably try yjCMth15SU-TW
for Twitter and yjCMth15SU-GM
for Gmail, because that sort of pattern is rather obvious.)
And, according to the US Department of Justice (DOJ), that’s how an alleged cybercriminal called Charles Onus, who was arrested earlier this year in San Francisco, is said to have made off with a tidy $800,000 in just a few months.
The suspect, claims the DOJ, simply tried the already-known passwords of thousands of users against their accounts on an online payroll service in New York.
We’re assuming it was possible to guess which potential victims were users of the payroll service simply by looking at their email addresses.
If the address matched (or perhaps the person’s social media profile gave away) the name of an employer that used the service…
…then it was a good bet that they’d have a payroll account with the same email address, and therefore also a worthwhile criminal experiment to see if they had the same password.
Onus, says the allegation, was able to login unlawfully to at least 5500 different accounts using this simple system – so simple that it doesn’t even really count as “hacking”.
He was then apparently able to change the bank account details of some users so that their next wage payment went into a debit card account that he himself controlled, and to skim off a whopping $800,000 between July 2017 and the start of 2018 or thereabouts.
What to do?
- Don’t re-use passwords. And don’t try to invent a technique for modifying each password slightly from an original template to make them seem different, because the crooks are on the lookout for that.
- Consider a password manager. Password managers generate random and unrelated passwords for each account, so there are no similarities a crook could figure out, even if one of the password gets compromised. Remember that you don’t have to put all your passwords into the manager app if you don’t want to: it’s OK to have a special way of dealing with your most important accounts, especially if you don’t use them often.
- Turn on 2FA if you can. Two-factor authentication doesn’t guarantee to keep the crooks out, but it stops attacks like this one from being carried out so easily and on such a broad scale, because the passwords alone would not have been enough.
- Report payment anomalies. Obviously, you need to look for outgoing payments that shouldn’t have happened, and for incoming payments that never arrived. But also look out for outgoing payments that somehow failed when they should have gone through, or for incoming funds you didn’t expect, no matter how small the amount. The sooner you report any errors, even if you didn’t lose any money, the sooner you help both yourself and everyone else.
Mahhn
Loving the password manager, for the 30+ accounts I have for work, I don’t even care what they are anymore (crazy complex). I didn’t want to use one at first, but it is good.
There are still a couple accounts I don’t use it for, but then the fun comes in. I won’t be using this one, but it’s an okay example; Wifbwqsiswl’80 I bet the first to crack this will have lived in Ozzy land. :p
Zaphod Beeblebrox
Until your password manager password is somehow compromised, and then you’re screwed.
Steve
That’s a great point. This is where you’d need a truly un-hackable password. I don’t know how quickly I could memorize something like huEX+IDszSSMcBjMw/S9kA as the master password. I think, though, that I’ve seen a presentation by Graham Cluley on how to come up with a strong but mnemonic password for your password manager.
Bob Rondeau
I love accounts where it’s possible to click on the phrase “Forgot password?” I then get a new one every time.
Steve
I’m always afraid I’ll get shut out after too many resets within a certain timeframe. If no sites or services do such a thing, then I am in complete agreement (unless one’s email account gets hacked, but at that point I suppose the sh*t will hit the fan no matter what one does).
Tony
so you’re using your email password for everything then?
Paul
I believe Steve is reffering to how many people utilize the same email account address in contact information forms for multiple user accounts linked to service providers (e.g. online banks, stores, colleges, and other email accounts) which then is used for password resets and access recovery. Bad guy/gal takes control of the email account containing available accounts, goes to those sites, and starts clicking “Forgot Password”. That’s where account access notifications and 2-factor with an authenticator app comes in handy.
Richard Deckert
Is there a number of items in the password that makes it safer? Say 13 0r more characters? I have been using 13 characters in my passwords. Does this make me safer?
Paul Ducklin
Length alone is not enough, as 1234567890 and qwertyuiop prove :-) I like to go for 14 or more, though that is an arbitary number. The more you mix things up, the better, so if choose randomly from upppercase letters you will have 26^13 possibilities (more than 2 million million million, or 2^61). Upper+lower+digits, assuming you choose randomly, gives 2^77 different choices.
Dave
I’m a fan of passphrases. Can easily be over 20 chars and including a contraction and or some grammatical symbol increases the keyspace
Philip Le Riche
I must say I’m not a great fan of yjCMth15SU-style passwords – too hard to type and too much brain power needed to convert the passphrase into initials, remembering which are upper case and which are elite-speak. I rather like concatenating 3 or 4 mostly made-up or mis-spelt words, e.g. PawloDudelyDukkoLad – not that hard to remember and the letter sequences are mainly typical of English and so fall under the hand. (I hate typing “management” – enough to give you RSI if you had to do it too often!)
But there’s another issue. A long strong password for your password manager is only the start. If you use full disk encryption you need a good password for that too, and you can’t use your password manager to record that. (Well, you can, but it’d be like posting the key to your moneybox through the coin slot for safe keeping!) And if you use encrypted cloud storage you need another good password for that too. And for your offline backup hard disk or your NAS. Or your bitcoin wallet. Or your GPG key. A password manager is very convenient for web passwords. Most of the others you can store in your password vault but there is a certain friction for non-web passwords that you need to balance against the risk of using a single strong master password for 2 or 3 purposes, no more than one of them accessible to an online attacker.
Roland
turn on MFA with passwordless authentication
Paul Ducklin
Most web accounts you have these days will treat your password as one factor of 2FA and some sort of code/text message/authentication token as another. So passwords will be around for a good while yet. They are not that difficult to do well – and so many so-called “passwordless” alternatives (think fingerprints and faces) need passcodes as a backstop anyway.
Mark
This reminds me of the breach from a few years ago when a whole bunch of unsalted hashes was published. The compromised site allowed users to set their own reset questions and these were also published. Some people had chosen good strong passwords and careful questions. Sadly for them one person had used the same password and set the password as their reset question.
So here was a case of choosing a good password fails if the site has poor design AND another random user screws up.
Paul Ducklin
Probably the infamous Adobe breach of 2013 you are thinking off. All passwords encrypted with the same symmetric key in “codebook” mode. All password hints unencrypted. 153,000,000 accounts affected…
https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
0laf
MFA is the only game in town these days, anything is just isn’t good enough. And that’s true MFA, not usr/pwd + pin code. I’m sick of having the same argument that a PIN doesn’t make it two factor
Randolph
As far as I am concerned password would still be around for a very long time