They’re not in the top 10 above, as there were variations with years, case, and the extra characters added. Most of these matched what we’ve seen before (i.e., Winter2018) but added extra characters such as two exclamation marks at the end to meet the minimum length requirement. Just to see the seasonal counts, I did a case-sensitive search for each of the seasons and found the following: We still see that people use their company’s name and a variation of “password.” The only thing that didn’t jump into our top 10 was the season/year, likely because these passwords weren’t long enough or had a lot of variations. So, to answer Aaron’s question, not much changes. These are commonly either the two- or four-digit year, or simply “123”.
#12 MINUTES CHARACTERS SERIES#
People are still using an uppercase letter for their first character, then a series of lowercase letters, then finishing with a number of digits. The pattern holds up, exactly as we’ve seen before.
:no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/6505631/twelve-minutes-character-concept_1920.0.jpg "12 minutes characters")
The following are the top three patterns found: When looking at our current data set, we can see these patterns have not changed.
#12 MINUTES CHARACTERS PASSWORD#
In a prior blog post around password security best practices, I noted that we commonly see the first character is an uppercase letter followed by a number of lowercase letters, then two or four digits as the final characters.
Next, I looked at the patterns we see with regard to character position. The rest drift off into fractions of a percent, but the point is the majority of people will meet exactly the minimum requirement. When analyzing our 12-character data set, we see the same result:
#12 MINUTES CHARACTERS CRACKED#
Not only that, but the minimum length occurs in more than half of the cracked passwords. When we analyze sets of cracked passwords, we notice that the most common password length is very often the minimum required length. The “q” and “a” keys are under the “1.” The “w” and “s” keys are under the “2,” the “e” and “d” keys are under the “3,” and the “r” and “f” keys are under the “4.” This is a common pattern we see, along with additional keyboard walks such as “asdfjkl ” or “asdfghjkl ”. Look at the keyboard and start with the “1,” then look down. This is what is referred to as a “keyboard walk.” This means people are using keys next to each other in the keyboard, which makes the password appear random but is easier for them to remember. If the seventh most common password doesn’t immediately stand out and appears random, it’s actually not. The fifth and ninth most common came from a company that was likely involved with hair care. The third most common password was “Password,” but with a variation to meet the longer password requirement: adding the “123!”. Apparently only three have gotten to the James Bond level, with “007” appended. To test this theory, I searched the list for additional increments and sure enough, the same company had 11 instances of “003”, six instances of “004”, seven instances of “005”, and four instances of “006”. It is possible that the “001” value was the default password new accounts received, then users bumped up the value. 6 passwords were from the same company and had the same value under the Xs: the company name. Here are the top 10 most common passwords, with an “X” replacing characters in a company name and matching case: The results were interesting: Two out of the three most common passwords still existed!
Next, I used Pipal, a password-analyzing tool, to find the 10 most common passwords. The result was a total of 37,888 passwords. I ran through all the cracked password lists and extracted those that were at least 12 characters long. The answer is a little bit, but not much. On penetration tests, the three most common passwords are a variation of company name, the season/year, and a variation of “password.” But what happens if we lengthen the password requirement? He wanted to know what passwords look like when they are 12 characters or longer. He has noticed on his penetration testing service engagements that some clients have changed their domain password policy’s minimum length to be 12 characters, instead of the eight we more commonly see. I’m always open to suggestions for new things to research with regard to the passwords we’ve cracked, and this one came from my Rapid7 colleague Aaron Herndon. In this blog, we’ll take a deeper dive into the strength of longer passwords. These password trends are uncovered by the many penetration testing service engagements we perform. In previous posts, we’ve looked at the the most common passwords people use in a company environment, default passwords set for new employees, and password patterns.
0 kommentar(er)
