Password risks – Password issues
The average person now has 19 passwords and 21 online profiles. Over 25% of people now enter a password ten times a day. But what are the common problems that this causes? What sort of attacks are we at risk of because of our passwords?
In this lecture, I’m going to discuss common password problems. I’ll talk about password convenience versus password security. I’ll show you some of the worst passwords. We’ll talk about the problems of having too many passwords, forgotten passwords. And, I’ll introduce you to password attacks. I’ll show you what a brute-force attack is.
There are several problems associated with passwords. These problems include the fact that we require so many of them. It’s not unusual for people to need up to 50 passwords. The password itself needs to be a long uncommon word. At the very least, it needs to be 8 characters long. And, many would argue considerably longer. And, a password should only be used in one place. Complex and unique passwords required for each site.
So, what happens in practice of course, is that password security often gives way to password convenience. Let’s face it, we’re all employed to work. That’s what we’re there for. And so, to spend your day remembering and managing lots and lots of passwords and keeping them up to date, just gets in the way.
So, people being people, naturally, they tend not to bother.
The worst passwords
Let’s look at some of the worst passwords. Splashdata do an annual survey of the “Worst Password List”.
This is sourced from around 5 million stolen passwords that can be obtained on the internet.
If we look at the 2016 results. Let’s look at the top ten.
Good old, “one-two-three-four-five-six”.
No surprise, “password”.
Just a bit shorter, “one-two-three-four-five-six-seven”.
There are three variations of the word “password” in the top 25 in the list. Star Wars themes were very popular. So were words like “princess” and “solo”.
Look at the left of the keyboard there. You’ll see “zaq1”. That’s a popular pattern.
Numerical patterns are very popular. Six of the top ten in that list were numerical patterns.
In that stolen list, over 10% of the people used one of the worst passwords. Nearly four percent of the entire list was the actual worst password, “one-two-three-four-five-six”.
Are such weak passwords convenient? Sure! Are they secure? Certainly not!
So why do people use these passwords?
So what’s it like here in the UK for an office worker? Well, over a quarter of us have to enter their passwords more than ten times a day. If you multiply this up, that’s three and a half to four thousand times a year. It’s no wonder that people get very frustrated.
According to Centrify, the average person has 19 passwords and 21 online profiles.
One in six admit to screaming and shouting if a password is forgotten. I’m guilty of this one. One in seven of us moan about our passwords. Some people admit to running off, slamming the door and banging their heads on the desks. 2% say they go to the pub and 20% of people claim that they have no problem at all in remembering their passwords. Unfortunately, I don’t fall into this group.
There are several types of common password attacks. Lets’ look at the main ones.
- Brute-force attack. This is a program that tries all possible password combinations, starting with the easiest to guess passwords.
- Dictionary attack. Here, a program tries a combination of common words.
- Keylogger attack. This is where actual user keystrokes are captured, including login IDs and passwords.
A look at Brute-force attacks
The brute-force attack on passwords is a popular cracking method. This approach is a ‘hit and try’ until successful. This type of attack can take a long time, but has a high success rate.
There are a number of readily available password cracking tools. For example, there’s a commercial L0phtCrack 7. This is a brute-force password cracker.
And it claims to be able to crack an eight character, alphanumeric Windows 10 password, in around two hours. Or, a popular open source password testing and breaking program, John the Ripper. When used in brute-force mode, it tries to find the most frequently used characters first.
This is a preview lecture from our online course ‘Information Security Awareness’, for the full course please visit https://chl.thinkific.com/courses/information-security-awareness