The problem of passwords won’t go away. Weak or default passwords contributed to a third of the data compromises Trustwave investigated in 2013.
IT administrators might try to elicit better password choices by enforcing password requirements, but users still find ways to satisfy those requirements without actually creating stronger passwords.
The testers began with a simple dictionary attack using an automated tool and a word list created from last year’s password study. Within just a few minutes, they recovered 53.97% of passwords within the sample.
“Password1” was the password the team came across most often in this year’s analysis, with Hello123, password, Welcome1, banco@a, training, Password123, job12345, spring and food1234 rounding out the top 10.
It also found that password length correlated with a similar pattern discovered last year, peaking at the minimum standard of eight characters.
The predictability of password choice also showed itself in the composition of cracked passwords. In both 2013 and 2014, combinations including uppercase letters, lowercase letters and numbers were most common.
Even the sequencing of those character types follow a predictable pattern. A sequence of six lowercase letters followed by two numbers led 2013’s study at 10% of cracked passwords. The same sequence topped the list in this year’s analysis.