Users are terrible at passwords and the problem is only getting worse, according to an expansive study of more than 100 million passwords and their owners.

Most security experts agree that passwords are a poor security mechanism. What's even worse: We're really bad at passwords. That's the conclusion of a study that looked at 28.8 million users and their 61.5 million passwords in 107 services over 8 years.

The password study by researchers at Virginia Tech found that slightly more than half of all users reused passwords, or used slight modifications of passwords across a range of accounts. Password reuse, considered a major "no-no" by security experts, is considered a major factor in easy-to-hack user authentication schemes

The news actually gets worse from that bad beginning. The passwords in use were so weak that more than 16 million password pairs (30% of the modified passwords and all the reused passwords) can be cracked within just 10 guesses. And there's worse to come: accounts dealing with sensitive data, from financial records to email, were more likely to receive repeated and reused passwords than less critical sites.

Researchers at Dashlane took anonymized data from the set used by the Virginia Tech team and looked for trends and patterns in the bad passwords. They found evidence of trends, patterns, brands and romance in the password store, all of which make passwords easier for criminals to predict and crack.

Perhaps unsurprisingly, the names of popular sports teams (which rise and fall according to their on-field results) and consumer brands find their way into passwords. The researchers were a bit more surprised by the pervasiveness of "keyboard walking" in forming passwords.

Don't let your fingers walk

Keyboard walking occurs when a user lets their fingers walk across a row of keys on the keyboard. "asdfg", "qwerty", and "12345" are all examples of keyboard walking. In each case, the resulting string is an easily guessed password.

Users slightly less lazy (or slightly more security savvy) move to variations on keyboard walking, including "1q2w3e4r" and "1qaz@wsx". The notable thing about most of these walking passwords is that they can be typed with the fingers of the left hand only — and typed without ever moving the hand or shifting the fingers. That tendency limits the combinations and makes the passwords subject to relatively easy brute force cracking.

According to a study by Visa, one of the reasons we're so bad at passwords is that we hate them. A lot. According to the Visa study, only about 1/3 of users follow the recommended practice of  having a unique password for each online account.  Almost two-thirds say that they have multiple passwords but share some passwords among accounts, while only about 7% admit to having a single password for every account they use.

The consequences of complex passwords

In a keynote session at last week's CNP Conference, Jamie Uppenberg, director of digital products at Discover Global Network, said that the goal for online authentication and transactions, including those with passwords, is simple: "You want the purchase to be as forgettable as possible, as delightful as possible. Authentication is key and not many people are doing it well."

Remembering and typing unique strong passwords makes for a high-friction transaction, and in the context of purchases, high friction is not forgettable.

At the same conference, Scott Adams, a CNP fraud and risk expert, said that an unintended consequence of requiring passwords that go beyond the easily remembered (and cracked) may be more fraud. "Provide the payment methods/features your customers want. If you don't, fraudsters will."

Adding to the tools fraudsters are able to employ are the huge stores of compromised log in credentials stolen and shared among criminals in the last few years. "The Next Domino To Fall: Empirical Analysis of User Passwords across Online Services", by Chun Wang, Steve T.K. Jan, Hang Hu, Douglas Bossart, and Gang Wang of Virginia Tech contains this surprising pair of facts: "More than 70% of the users with reused passwords are still reusing the leaked passwords 1 year after the initial leakage. 40% of users are still reusing the same passwords leaked 3 years ago."

Beyond bad passwords

Moving beyond passwords for user authentication remains a technological and economic challenge, though users say that they're reading for the shift. According to the Visa study, roughly 3/4 of consumers say that they're interested in using fingerprints for authentication, with roughly half of consumers identifying a move past passwords as the chief benefit of biometric identification technology.

Until biometric authentication becomes more wide-spread, best practice suggestions for consumers are still important. in the conclusion to its report, Dashlane provides a list that contains no surprises for anyone in the security industry:

  • Use a unique password for every online account

  • Generate passwords that exceed the minimum of 8 characters

  • Create passwords with a mix of case-sensitive letters, numbers, and special symbols

  • Avoid using passwords that contain common phrases, slang, places, or names

  • Use a password manager to help generate, store, and manage your passwords

  • Never use an unsecured Wi-Fi connection 

Related Content:

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights