How To Make Passwords Easy to Crack
To choose a password that’s likely to stand up to attack, wouldn’t it be helpful to know the most common tricks bad actors beat consistently? Here’s a postcard-size reference to what makes a password easy to crack. This puts you in a better position to choose the safest password – which is one that has never been used before.
Human ingenuity can prevail over bad actors and even artificial intelligence; here are some tips to put you ahead in that match of wits.
Drawn from trends found by security researchers of passwords that have been cracked, together with patterns of how most people construct their passwords, these are the tricks that don’t work because they’re in the cross-hairs of the bad actors. Avoid these motifs and you’re on your way to better protection.
Why is it useful to know common password patterns?
Bad actors want to know common passwords and password patterns so they can crack them. For criminals, it’s a big payday for relatively little effort. One cracked password can be used again and again.
To outwit the bad actors, avoid the most common patterns. To do this, it’s great to know what they are.
What are some examples of patterns to avoid?
A lot of people think they’re using unique passwords when, really, they’re using a “transformation password” which changes a few characters but still leaves a pattern that’s easy to crack.
Common variations include:
- Using a core password (our examples use “Pswd”) and adding the name of each vendor ex: PswdAmazon1!, PswdNetflix1!, PswdMyBank1!, PswdElectric1!, PswdRent1! etc.
- Using a core password and adding a timestamp ex: PswdJan0), PswdMar0), PswdMay0), PswdJuly0)
Transformations are predictable, so they’re easy to pattern match, and that makes them easy to crack.
Transformations are often the result of requirements to change a password frequently. Bad actors know this; they have incentive to take advantage because the practice is widespread.
Are there common patterns for numbers or special characters in passwords?
Many password fields are set to require at least one number. It turns out that the most common numbers people use are: 9, 0, and 1 in that order. To defeat this pattern, simply choose different numbers as often as you can.
The most common position of numbers and special characters is
3) between words
So, look for ways to put your numbers and characters in other positions.
The most commonly used special character is an exclamation mark! Next most common is @. Many others characters are equally easy to type; pick something else to make your passwords stronger.
What about using numbers and special characters in place of letters?
Substituting characters, sometimes called “Elite speak” from its origin with technical “elites”, is now a widely known trick and the bad actors are onto it.
The graphic for this post has a table which came from Wikipedia so this is pubic information. Frequently the character substitutions just make a password harder for a human to remember and harder to type while providing little to no extra protection from password cracking.
What about the other patterns on the infographic?
- Social engineering gets a lot of press for a good reason. Using names, words, numbers of anything that can be associated with you from an address or phone number to your mother’s maiden name is well known to be an open door for password guessing, let alone a bad actor with a fast computer and access to social media
- Rude, vulgar or swear words are the ones criminals try first. Draw your own conclusions.
- Consider all real words and proper nouns of people and places to be suspect. This is a lazy, but effective, way to get the results of social engineering by using computer power instead of research. The term “Dictionary cracking” means bad actors load entire dictionaries, in all languages, into their database of patterns to check. They also load atlases, books of baby names, etc.
- Pop culture names and phrases, your favorite teams, performers or books, along with anything in the headlines, are ripe for attack. These patterns are imprinted on a large number of minds so they make their way into a large number of passwords. This makes them attractive bait for bad actors to find in password patterns.
How do bad actors try so many passwords without getting locked out?
Jeremi Gosney, an internationally recognized password cracking expert, explains1 “Typically, when we talk about password cracking, we’re talking about offline password cracking, which is where someone has obtained a copy of a password database.
The passwords in the database are almost never in plain text (text humans can read with their eyes). They’re scrambled using what’s called a hash function. The only way to crack a password is essentially to play a guessing game, where you run password guesses through the same hash algorithm that was used to produce the hashes in the database, and you compare the results. If you end up with two hash values that are the same, then we know what the password was.”
This is why patterns are so important and why common patterns are more easily cracked: the criminals are looking for a pattern match.
Our strategy, then, includes avoiding obvious patterns whenever possible but that’s not the whole strategy, just part of it.
What makes the safest password?
The safest password is one that has never been used before and is only used for a single account.
How is that humanly possible?
Follow this series to take that journey one step at a time. We’re going to cover
- SecuriThink Enhanced Acronym passwords – for times when you must rely on memory
- SecuriThink Password Staircase – a path to gradually raise the bar on your password game
- Passwords as a mental health break – to keep a positive perspective on what can seem a chore
- This reference card is one of four images printed in a high-quality postcard size set. If interested in the printed version, contact us at Hello@SecuriThink.com for more information
- Sign up to be notified when new Field Notes are posted so you don’t miss any of the good stuff we have coming, including the series mentioned above. We also post on making the business case for cybersecurity and Cybersecurity Maturity Model Certification (CMMC).
- If you have comments, please join the discussion on the relevant LinkedIn post here:
- Lessons from a Professional Password Cracker. 2022 https://themarkup.org/newsletter/hello-world/lessons-from-a-professional-password-cracker
- Most common passwords: latest 2022 statistics. https://rockit.cloud/2022/08/03/most-common-passwords-latest-2022-statistics/
- Most Frequently-Used Special Characters in 10 Million Passwords. Max Woolf. 2014. https://www.reddit.com/r/dataisbeautiful/comments/2vfgvh/most_frequentlyused_special_characters_in_10/
- Choosing Secure Passwords. Bruce Schneier. 2014. https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html