In my recent theme of breaking common cybersecurity myths, I have been revealing some commonly held beliefs that even cybersecurity professionals will stand by. Today, I will look at the “most common passwords” and challenge whether they really are as common as we are told.

Most common passwords

A quick Internet search will bring up commonly used passwords, which will include the most frequently used;

  • password (and various variations with character substitution and appended numbers)
  • 123456 (and other sequential numeric variations, including patterns like “111111” and “abc123”)
  • qwerty (and other variations of sequential keyboard patterns, including “a1b2c3d4” and “qazwsx”)
  • guest (and others such as “admin” or “super[visor]”)
  • iloveyou
  • letmein
  • monkey
  • princess
  • adobe
  • dragon

The lazy use of sequential keyboard characters and variations on the word “password” shows the frailty of human imagination, and the lack of the ability to make up a good password. Or does it? The interesting ones that caught my attention are the real-word samples. In particular, “adobe” and “letmein” – I’ll explain a bit more about these.

How do we know people’s passwords?

So, this gets me thinking on how we know what the most common passwords are. When a user submits a new password or a password change, for most modern systems, the password is instantly encrypted and is never actually stored or even transmitted in a human-readable version. So how do we know what the password is? The answer is that it comes from hacks – someone breaking into the system to extract passwords.

It could either be brute-force of trying every combination of characters against an encrypted version of the password, or it can be trying a ‘dictionary’ of common passwords – each word in the ‘dictionary’ is tried one-by-one to see if they can get access. The hackers will then have a list of passwords that work – and they then sell that list on the Dark Net. However, would the hackers sell a database with un-cracked passwords? There could be complex password combinations that are very common, but are not in any password dictionary, and too complex to crack in the timescale that the hacker wants to expend.

READ ARTICLE:   Cyber Insurance myths

Strange “common” passwords

In the password dumps that we are shown, there are real-word passwords exposed. So, apparently, there are hundreds of thousands of people who use the password “adobe”. I want to challenge that, by looking at the source of the password dumps and also the low imagination that people have when coming up with a password.

In years gone past, particularly before the prevalence of MFA, online websites would be hacked regularly, and massive user databases would be stolen. One victim that was frequently in the press was Adobe – it sometimes seemed that they were being hacked every month. Other victims such as AOL and Yahoo! had massive data breaches too, which still continues to this day.

So, this is why it attracts my attention that a “common” password is the word “adobe” – and also “letmein”.

Survivorship bias

Before digging in to the content of the passwords that were stolen, I want to mention a concept that may help to understand why these password dump lists are being treated as a valid authority on the most commonly used passwords.

In World War 2, they wanted to protect more planes from being shot down, so looked at the damage of planes that had returned from combat, to see if they could apply armour. The holes (shown in red) were in the planes that survived, but Abraham Wald pointed out that these areas were OK to be damaged, because the planes were returning. He identified that the body parts on the returned planes that were not damaged may be the reason that they returned at all.

READ ARTICLE:   VPNs and Zero Trust

So, to link this to password dumps – the cracked passwords are being reported, but not the secure passwords that could not be broken. The simple and easy passwords are being broken, but are they really used more often and by more people?

I really don’t care

Extrapolating this further, consider the password that people choose for a website login. There are a lot of passwords that we need to remember, and people are not very inventive when trying to think of a secure password. So, human nature is that a person will choose a simple password for a site that they don’t really care about. Those sites where losing access has no financial or reputational impact, many people will use a simple and easy password. For them, the annoyance will be the biggest factor – and probably they would just re-create an account if they lose access.

So, this skews the “most common” lists towards basic and easy passwords. Not only are the websites more easily hacked, more frequently, but also the people’s choice of passwords for these sites will more likely be low-effort.

Caveat

Obviously, I am not trying to say that the password lists are wrong or that no-one uses bad passwords, but I am trying to say that the results are potentially skewed. We still need to inform people that the awful simple passwords are no good, and that people should definitely not use the same password on multiple sites. However, there is another potential fallout – the average person thinking that their password is more secure that others, because they have made the decision not to use “password” or “12345678”.

READ ARTICLE:   VMware rebootless upgrades are here!

Conclusion

So, do people really use bad passwords extensively? Or is it really that the poorly managed and hacked systems contain low-effort passwords because the users of them do not care? We will never know the most common passwords actually in use in the world, only the ones that were hacked.

Related posts:

Healthcare record security concerns

The concept of redundancy - is it redundant?

Amazon Certified Solution Architect

Leading business by caring for staff

Share this knowledge