How many variations of "qwerty" and "1234" can you think of?
I am quite surprised at how inventive people can be when it comes to the thinking up weak passwords. The obviously weak combinations like '1234' or 'qwerty' along with names and phone numbers are quite common parts of passwords.
The story begins with me fighting a familiar piece of malware, Bicololo, which is spyware designed to steal the identity from users of Russian social networks. A routine task you might say. This time the authors were less cautious with settings on their rogue servers, so I managed to get hundreds of freshly-stolen credentials. What to do with them? The first thing I tried was contacting support of the affected social network to get users warned and passwords reset. Unfortunately, my effort met no success there; they did not even bother to answer my mail! So instead of getting to warn hundreds of innocent users on the Russian social network, I used this unique opportunity to analyze the habits users have regarding their passwords and share it with our AVAST readers.
Once I cleaned up the data, I received about 850 unique combinations of username-password pairs. This is not enough variants for the results to be widely representative. The data was obtained from a rather specific group of (less experienced) users whose lack of knowledge allowed their computers to be infected. I expect the general reality to be a bit better than my results. Though my findings are not scientifically-correct, they can give us some insight into the problem and show us examples we should avoid while choosing our passwords.
I will not deliberately name the targeted service though I will describe which credentials it utilizes. The username can be an email address or a phone number. You have to supply both of them when you register, and they make you confirm them. Once you try to log-in from some unusual location, they want you to provide some additional information to be sure it is really you. This is a good security feature. What is less positive is the fact, that this additional information is the phone number again. A majority of people (69%) in the hijacked data used their phone number as the username. So for the majority of stolen accounts, attackers can log-in without any trouble.
Let us start from the worst cases and make our way to the better ones. The most terrible finding was that some users (less than 1%) used the same text they used as user names as their password. Please, avoid this any time.
Other avoidable passwords were home-addresses and emails. Obviously, using any information which is a common knowledge about you is not a good idea. Luckily, these cases have a really low occurrence less than 1%.
About 4% of users have strictly numerical passwords with lengths mostly about 7 or 11 characters. These were common number combinations like 123456789, 987654321, 147258369 or 332211, birth-dates and Russian phone numbers. The worst password I saw in this category was 11111. It is obvious that such passwords will not protect you.
Another 5% of users have as their password a simple common word, such as a name or trademark like samsung, lenovo, or adidas. Another person used just a bunch of letters as rrrrrr or some well-known domain name as mail.ru.
Next 10% uses different variations of qwerty and 1234 inside their password like qwerty123456, qwerty[year] or 1234[(nick)name]. While this might not be obvious for many internet users, the bad guys know this habit and they have dictionaries loaded with these kind of passwords to easily crack many of such accounts.
As stated in one of my favorite XKCD about password strength, the only factor that really matters is the password length. From this point of view 44% people use weak passwords and some 28% use what we may consider good and strong passwords.
Though there are several examples of long and really good passwords present, I was quite surprised that only one included a space. As stated in the XKCD, for years we have been using passwords which are hard for us to remember and easy for the computer to guess. Why don't we use several simple words, or a sentence, instead? It is much easier to remember and stronger than most of the passwords from the hijacked password database. Still no one seems to be doing it. Sometimes even IT administrators go against this trend when forcing users to choose terrible passwords by their validation. Recently I argued with my online bank about this. They force you to use 2 digits in the password but do not allow a single space.
For the further reading about the topic of strong passwords, I recommend you to read Six tips to bombproof your password or one of our older blog-posts How to create a secure password (the not-boring way) or LinkedIn and eHarmony passwords databases leaked.
Why do the bad guys do this? It takes serious effort to hijack accounts. Obviously, the reason is not to get the photos of your vacation. Since money is behind almost anything, the right question is what profit can the attacker have from the stolen account?
There are definitely many ways of turning these data into money, but one of them is worth highlighting here. Research shows that password reuse is common trend (about 50%). It is likely that your password for a social account is being used for your bank account too, so this means that the bad guys can steal your money much easier. Therefore do not use the same passwords for different places, especially for really important services.
If you are having trouble memorizing all the different passwords you need to keep, I would recommend you try our secured EasyPass solution which does the job for you.
If you find yourself using some of the weak password patterns I was talking about, please update them to something stronger (longer). And remember, never tell your password to anyone, especially do not send it by phone or mail. While avast! Antivirus will provide you with protection against various attempts to steal your accounts, you can never be too cautions.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.