Passcodes, Passwords, and Stereotyping

An updated and expanded article originally published on ITsecurity UK and no longer available there.

An updated and expanded article originally published on ITsecurity UK and no longer available there.

When Heimdal used to ask me and various other security people for input on interesting questions, one of the questions they asked was:

What is the biggest mistake that users make when it comes to protecting their online assets?

I was and am reluctant to talk about 'mistakes' – it's too easy to blame end users if they make decisions affecting their own security that the security industry doesn't consider to be well-founded. The unfortunate fact is that the media – online and otherwise – and the Internet at large are sources of immense volumes of advice of very variable quality. (Just check out practically any online forum!) So you could argue that the 'biggest mistake' is not reading 'stuff' on the internet with a suitably critical eye. But if the population at large is insufficiently sceptical and versed in critical thinking, isn't that an educational failure rather than user error?

Even when we come to address the specific issue of online assets, there are far too many issues for me to venture an opinion as to which is the most vital or damaging. However, there are certainly many issues with a connection to authentication. Research by Mark Burnett published in 2008 suggests that

“…Approximately one out of every nine people uses at least one password on the list shown in Table 9.1! And one out of every 50 people uses one of the top 20 worst passwords.”

(“Table 9.1” represents the 'Top 500 Worst Passwords of All Time, from Burnett's book Perfect Password: Selection, Protection, Authentication. The same table is reproduced here, however.)

As it happens, last night I saw a 2024 edition of Have I Got News For You that featured the top ten over-used passwords in the UK at that time. I don’t have a link that table, but I did notice that it included many of the passwords in the top 20 of Burnett’s list, including (if I remember correctly) ordered ranges of numbers like 1234, 12345, 123456, 1234567, 12345678 (if not all those examples); password; qwerty, letmein, and abc123. Some of the other examples in that top 20 are probably more common in the US, but it seems safe to conclude that the worst offenders haven’t changed much over recent decades. A top 20 Splashdata table quoted here indicates that between 2018 and 2019 there were many small changes of position and minor variations on passwords that were already widely used in 2008. I don’t know how much of his own research in this area Burnett has published since he published 10,000,000 password/username pairs in 2015 (recklessly, you may feel), but there is a substantial body of research in the same area listed here.

Research on PINs is less copious, but it's been suggested that the ten most-used passcodes accounted for 15% of the set of passcode samples acquired some years ago by Daniel Amitay. As you might expect, some of the problems are slightly different with 4-digit PINs, where memorization is more often tied to keyboard layout. However, because of the restricted nature of the character set, there is an issue that is less pressing with mixed-character passphrases. A randomized string like pC9>#05hkhJ*£V may be unpleasant to read and impossible to remember (but that's the advantage of password management software). However, it's random enough to reduce significantly its vulnerability to several kinds of attack. However, as I've observed elsewhere:

Randomization is no guarantee of security. Indeed, randomization will sometimes give a bad PIN like 0000. You can use algorithms that are essentially pseudo-random but which are weighted to exclude the top n PINs, of course, but I don’t know if any service does that.

When I was actively researching password- and PIN-related issues (using, in part, Amitay's dataset), I became increasingly frustrated to keep coming across journalists publishing lists of the 10 worst passwords (or at best the 25 worst passwords). You might think that a little odd, after quoting lists like Burnett's of stereotyped passwords, but I actually prefer to focus on how people can improve their password/passcode creation strategies, rather than flagging a handful of the very worst passcodes. For instance:

• Avoiding all the most popular (i.e. overused) passwords is safer than using any that happens to be in the top10, or indeed in the top 100, or even 10,000. T

• Passphrases and PINs consisting of a single character repeated are all but useless.

• A numeric or digital series ascending (or descending) incrementally (12345, 56789, 987654, abcdef, zyxwvut, jklmnopq) is at risk from a guessing attack, a dictionary attack, or an algorithmic attack, and combining two such series (abc123, zxy987) is almost equally open to attack.

• Any password consisting of a word found in a dictionary is easily and quickly cracked. Passphrases may take more time, but cracking software is increasingly likely to take English sentences used as password phrases, especially material such as well-known quotations. Remember also that dictionary lists used in such attacks will include known over-used words that aren't real words.

• Passwords with a sexual connotation or using swearwords are very widely used, and therefore highly vulnerable to a guessing or dictionary attack.

But avoiding stereotyped passwords is only adequate protection if the authentication mechanism is well-implemented and the provider is doing a good job of protecting authentication data on its own systems.