Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

More Than Half of Users Reuse Passwords

Users are terrible at passwords and the problem is only getting worse, according to an expansive study of more than 100 million passwords and their owners.

Most security experts agree that passwords are a poor security mechanism. What's even worse: We're really bad at passwords. That's the conclusion of a study that looked at 28.8 million users and their 61.5 million passwords in 107 services over 8 years.

The password study by researchers at Virginia Tech found that slightly more than half of all users reused passwords, or used slight modifications of passwords across a range of accounts. Password reuse, considered a major "no-no" by security experts, is considered a major factor in easy-to-hack user authentication schemes

The news actually gets worse from that bad beginning. The passwords in use were so weak that more than 16 million password pairs (30% of the modified passwords and all the reused passwords) can be cracked within just 10 guesses. And there's worse to come: accounts dealing with sensitive data, from financial records to email, were more likely to receive repeated and reused passwords than less critical sites.

Researchers at Dashlane took anonymized data from the set used by the Virginia Tech team and looked for trends and patterns in the bad passwords. They found evidence of trends, patterns, brands and romance in the password store, all of which make passwords easier for criminals to predict and crack.

Perhaps unsurprisingly, the names of popular sports teams (which rise and fall according to their on-field results) and consumer brands find their way into passwords. The researchers were a bit more surprised by the pervasiveness of "keyboard walking" in forming passwords.

Don't let your fingers walk

Keyboard walking occurs when a user lets their fingers walk across a row of keys on the keyboard. "asdfg", "qwerty", and "12345" are all examples of keyboard walking. In each case, the resulting string is an easily guessed password.

Users slightly less lazy (or slightly more security savvy) move to variations on keyboard walking, including "1q2w3e4r" and "[email protected]". The notable thing about most of these walking passwords is that they can be typed with the fingers of the left hand only — and typed without ever moving the hand or shifting the fingers. That tendency limits the combinations and makes the passwords subject to relatively easy brute force cracking.

According to a study by Visa, one of the reasons we're so bad at passwords is that we hate them. A lot. According to the Visa study, only about 1/3 of users follow the recommended practice of  having a unique password for each online account.  Almost two-thirds say that they have multiple passwords but share some passwords among accounts, while only about 7% admit to having a single password for every account they use.

The consequences of complex passwords

In a keynote session at last week's CNP Conference, Jamie Uppenberg, director of digital products at Discover Global Network, said that the goal for online authentication and transactions, including those with passwords, is simple: "You want the purchase to be as forgettable as possible, as delightful as possible. Authentication is key and not many people are doing it well."

Remembering and typing unique strong passwords makes for a high-friction transaction, and in the context of purchases, high friction is not forgettable.

At the same conference, Scott Adams, a CNP fraud and risk expert, said that an unintended consequence of requiring passwords that go beyond the easily remembered (and cracked) may be more fraud. "Provide the payment methods/features your customers want. If you don't, fraudsters will."

Adding to the tools fraudsters are able to employ are the huge stores of compromised log in credentials stolen and shared among criminals in the last few years. "The Next Domino To Fall: Empirical Analysis of User Passwords across Online Services", by Chun Wang, Steve T.K. Jan, Hang Hu, Douglas Bossart, and Gang Wang of Virginia Tech contains this surprising pair of facts: "More than 70% of the users with reused passwords are still reusing the leaked passwords 1 year after the initial leakage. 40% of users are still reusing the same passwords leaked 3 years ago."

Beyond bad passwords

Moving beyond passwords for user authentication remains a technological and economic challenge, though users say that they're reading for the shift. According to the Visa study, roughly 3/4 of consumers say that they're interested in using fingerprints for authentication, with roughly half of consumers identifying a move past passwords as the chief benefit of biometric identification technology.

Until biometric authentication becomes more wide-spread, best practice suggestions for consumers are still important. in the conclusion to its report, Dashlane provides a list that contains no surprises for anyone in the security industry:

  • Use a unique password for every online account
  • Generate passwords that exceed the minimum of 8 characters
  • Create passwords with a mix of case-sensitive letters, numbers, and special symbols
  • Avoid using passwords that contain common phrases, slang, places, or names
  • Use a password manager to help generate, store, and manage your passwords
  • Never use an unsecured Wi-Fi connection 

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tompitt
50%
50%
tompitt,
User Rank: Apprentice
5/29/2018 | 12:53:45 AM
Re: Passphrase over Password
I agree with you
Todder
50%
50%
Todder,
User Rank: Apprentice
5/25/2018 | 5:03:57 PM
Re: Passphrase over Password
Vendor sites should set a policy for passwords to be changed every 30, 60, or 90 days. Part of the problem is long lingering passwords spread over account access locations on various computers, smartphones, etc.

Ideally you'd want all banks & financial institutions to broadly implement this since it could be a key differentiator (wrongly) to say "Hey you can use the same password forever with our bank!"

The other thing is dual authenitcation (Capital One does this) where you enter your account pasword and they text or call you with the 6 digit key code.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
5/25/2018 | 8:21:15 AM
Re: Passphrase over Password
I believe that complex passworeds, unique BUT EASY TO USER REMEMBER are the best solution.  Everyone has a set of hobbies that are unique to them.  There can be a ton of tech terms inside of these interests that are never EVER forgotten.  Now combine two tech terms of any kind or type with a weird character or two ----- and you have a great system.  Users can then vary a tech term list of sorts to keep a syntax running.  I have about 10 passwords of varying terms and levels that I use and can sort to desired taste.    

 

If you want total protection, chose an EXE file of any kind you like, get the MD5 HASH string and make that your password LOL - nobody will crack that one. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/24/2018 | 1:13:21 PM
Passphrase over Password
For this reason its imperative to think of utilizing passphrase over password. Passphrase: Sometimes I get sad when I hear passwords are still going to being utilized! Input: SIgswIhpasg2bU!

Make the passphrase easier to remember obviously but the premise is more security centric.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...