Endpoint //

Authentication

5/24/2018
09:15 AM
50%
50%

More Than Half of Users Reuse Passwords

Users are terrible at passwords and the problem is only getting worse, according to an expansive study of more than 100 million passwords and their owners.

Most security experts agree that passwords are a poor security mechanism. What's even worse: We're really bad at passwords. That's the conclusion of a study that looked at 28.8 million users and their 61.5 million passwords in 107 services over 8 years.

The password study by researchers at Virginia Tech found that slightly more than half of all users reused passwords, or used slight modifications of passwords across a range of accounts. Password reuse, considered a major "no-no" by security experts, is considered a major factor in easy-to-hack user authentication schemes

The news actually gets worse from that bad beginning. The passwords in use were so weak that more than 16 million password pairs (30% of the modified passwords and all the reused passwords) can be cracked within just 10 guesses. And there's worse to come: accounts dealing with sensitive data, from financial records to email, were more likely to receive repeated and reused passwords than less critical sites.

Researchers at Dashlane took anonymized data from the set used by the Virginia Tech team and looked for trends and patterns in the bad passwords. They found evidence of trends, patterns, brands and romance in the password store, all of which make passwords easier for criminals to predict and crack.

Perhaps unsurprisingly, the names of popular sports teams (which rise and fall according to their on-field results) and consumer brands find their way into passwords. The researchers were a bit more surprised by the pervasiveness of "keyboard walking" in forming passwords.

Don't let your fingers walk

Keyboard walking occurs when a user lets their fingers walk across a row of keys on the keyboard. "asdfg", "qwerty", and "12345" are all examples of keyboard walking. In each case, the resulting string is an easily guessed password.

Users slightly less lazy (or slightly more security savvy) move to variations on keyboard walking, including "1q2w3e4r" and "[email protected]". The notable thing about most of these walking passwords is that they can be typed with the fingers of the left hand only — and typed without ever moving the hand or shifting the fingers. That tendency limits the combinations and makes the passwords subject to relatively easy brute force cracking.

According to a study by Visa, one of the reasons we're so bad at passwords is that we hate them. A lot. According to the Visa study, only about 1/3 of users follow the recommended practice of  having a unique password for each online account.  Almost two-thirds say that they have multiple passwords but share some passwords among accounts, while only about 7% admit to having a single password for every account they use.

The consequences of complex passwords

In a keynote session at last week's CNP Conference, Jamie Uppenberg, director of digital products at Discover Global Network, said that the goal for online authentication and transactions, including those with passwords, is simple: "You want the purchase to be as forgettable as possible, as delightful as possible. Authentication is key and not many people are doing it well."

Remembering and typing unique strong passwords makes for a high-friction transaction, and in the context of purchases, high friction is not forgettable.

At the same conference, Scott Adams, a CNP fraud and risk expert, said that an unintended consequence of requiring passwords that go beyond the easily remembered (and cracked) may be more fraud. "Provide the payment methods/features your customers want. If you don't, fraudsters will."

Adding to the tools fraudsters are able to employ are the huge stores of compromised log in credentials stolen and shared among criminals in the last few years. "The Next Domino To Fall: Empirical Analysis of User Passwords across Online Services", by Chun Wang, Steve T.K. Jan, Hang Hu, Douglas Bossart, and Gang Wang of Virginia Tech contains this surprising pair of facts: "More than 70% of the users with reused passwords are still reusing the leaked passwords 1 year after the initial leakage. 40% of users are still reusing the same passwords leaked 3 years ago."

Beyond bad passwords

Moving beyond passwords for user authentication remains a technological and economic challenge, though users say that they're reading for the shift. According to the Visa study, roughly 3/4 of consumers say that they're interested in using fingerprints for authentication, with roughly half of consumers identifying a move past passwords as the chief benefit of biometric identification technology.

Until biometric authentication becomes more wide-spread, best practice suggestions for consumers are still important. in the conclusion to its report, Dashlane provides a list that contains no surprises for anyone in the security industry:

  • Use a unique password for every online account
  • Generate passwords that exceed the minimum of 8 characters
  • Create passwords with a mix of case-sensitive letters, numbers, and special symbols
  • Avoid using passwords that contain common phrases, slang, places, or names
  • Use a password manager to help generate, store, and manage your passwords
  • Never use an unsecured Wi-Fi connection 

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tompitt
50%
50%
tompitt,
User Rank: Apprentice
5/29/2018 | 12:53:45 AM
Re: Passphrase over Password
I agree with you
Todder
50%
50%
Todder,
User Rank: Apprentice
5/25/2018 | 5:03:57 PM
Re: Passphrase over Password
Vendor sites should set a policy for passwords to be changed every 30, 60, or 90 days. Part of the problem is long lingering passwords spread over account access locations on various computers, smartphones, etc.

Ideally you'd want all banks & financial institutions to broadly implement this since it could be a key differentiator (wrongly) to say "Hey you can use the same password forever with our bank!"

The other thing is dual authenitcation (Capital One does this) where you enter your account pasword and they text or call you with the 6 digit key code.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
5/25/2018 | 8:21:15 AM
Re: Passphrase over Password
I believe that complex passworeds, unique BUT EASY TO USER REMEMBER are the best solution.  Everyone has a set of hobbies that are unique to them.  There can be a ton of tech terms inside of these interests that are never EVER forgotten.  Now combine two tech terms of any kind or type with a weird character or two ----- and you have a great system.  Users can then vary a tech term list of sorts to keep a syntax running.  I have about 10 passwords of varying terms and levels that I use and can sort to desired taste.    

 

If you want total protection, chose an EXE file of any kind you like, get the MD5 HASH string and make that your password LOL - nobody will crack that one. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/24/2018 | 1:13:21 PM
Passphrase over Password
For this reason its imperative to think of utilizing passphrase over password. Passphrase: Sometimes I get sad when I hear passwords are still going to being utilized! Input: SIgswIhpasg2bU!

Make the passphrase easier to remember obviously but the premise is more security centric.
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
The Case for a Human Security Officer
Ira Winkler, CISSP, President, Secure Mentem,  12/5/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...