Endpoint //

Authentication

5/24/2018
09:15 AM
50%
50%

More Than Half of Users Reuse Passwords

Users are terrible at passwords and the problem is only getting worse, according to an expansive study of more than 100 million passwords and their owners.

Most security experts agree that passwords are a poor security mechanism. What's even worse: We're really bad at passwords. That's the conclusion of a study that looked at 28.8 million users and their 61.5 million passwords in 107 services over 8 years.

The password study by researchers at Virginia Tech found that slightly more than half of all users reused passwords, or used slight modifications of passwords across a range of accounts. Password reuse, considered a major "no-no" by security experts, is considered a major factor in easy-to-hack user authentication schemes

The news actually gets worse from that bad beginning. The passwords in use were so weak that more than 16 million password pairs (30% of the modified passwords and all the reused passwords) can be cracked within just 10 guesses. And there's worse to come: accounts dealing with sensitive data, from financial records to email, were more likely to receive repeated and reused passwords than less critical sites.

Researchers at Dashlane took anonymized data from the set used by the Virginia Tech team and looked for trends and patterns in the bad passwords. They found evidence of trends, patterns, brands and romance in the password store, all of which make passwords easier for criminals to predict and crack.

Perhaps unsurprisingly, the names of popular sports teams (which rise and fall according to their on-field results) and consumer brands find their way into passwords. The researchers were a bit more surprised by the pervasiveness of "keyboard walking" in forming passwords.

Don't let your fingers walk

Keyboard walking occurs when a user lets their fingers walk across a row of keys on the keyboard. "asdfg", "qwerty", and "12345" are all examples of keyboard walking. In each case, the resulting string is an easily guessed password.

Users slightly less lazy (or slightly more security savvy) move to variations on keyboard walking, including "1q2w3e4r" and "[email protected]". The notable thing about most of these walking passwords is that they can be typed with the fingers of the left hand only — and typed without ever moving the hand or shifting the fingers. That tendency limits the combinations and makes the passwords subject to relatively easy brute force cracking.

According to a study by Visa, one of the reasons we're so bad at passwords is that we hate them. A lot. According to the Visa study, only about 1/3 of users follow the recommended practice of  having a unique password for each online account.  Almost two-thirds say that they have multiple passwords but share some passwords among accounts, while only about 7% admit to having a single password for every account they use.

The consequences of complex passwords

In a keynote session at last week's CNP Conference, Jamie Uppenberg, director of digital products at Discover Global Network, said that the goal for online authentication and transactions, including those with passwords, is simple: "You want the purchase to be as forgettable as possible, as delightful as possible. Authentication is key and not many people are doing it well."

Remembering and typing unique strong passwords makes for a high-friction transaction, and in the context of purchases, high friction is not forgettable.

At the same conference, Scott Adams, a CNP fraud and risk expert, said that an unintended consequence of requiring passwords that go beyond the easily remembered (and cracked) may be more fraud. "Provide the payment methods/features your customers want. If you don't, fraudsters will."

Adding to the tools fraudsters are able to employ are the huge stores of compromised log in credentials stolen and shared among criminals in the last few years. "The Next Domino To Fall: Empirical Analysis of User Passwords across Online Services", by Chun Wang, Steve T.K. Jan, Hang Hu, Douglas Bossart, and Gang Wang of Virginia Tech contains this surprising pair of facts: "More than 70% of the users with reused passwords are still reusing the leaked passwords 1 year after the initial leakage. 40% of users are still reusing the same passwords leaked 3 years ago."

Beyond bad passwords

Moving beyond passwords for user authentication remains a technological and economic challenge, though users say that they're reading for the shift. According to the Visa study, roughly 3/4 of consumers say that they're interested in using fingerprints for authentication, with roughly half of consumers identifying a move past passwords as the chief benefit of biometric identification technology.

Until biometric authentication becomes more wide-spread, best practice suggestions for consumers are still important. in the conclusion to its report, Dashlane provides a list that contains no surprises for anyone in the security industry:

  • Use a unique password for every online account
  • Generate passwords that exceed the minimum of 8 characters
  • Create passwords with a mix of case-sensitive letters, numbers, and special symbols
  • Avoid using passwords that contain common phrases, slang, places, or names
  • Use a password manager to help generate, store, and manage your passwords
  • Never use an unsecured Wi-Fi connection 

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tompitt
50%
50%
tompitt,
User Rank: Apprentice
5/29/2018 | 12:53:45 AM
Re: Passphrase over Password
I agree with you
Todder
50%
50%
Todder,
User Rank: Apprentice
5/25/2018 | 5:03:57 PM
Re: Passphrase over Password
Vendor sites should set a policy for passwords to be changed every 30, 60, or 90 days. Part of the problem is long lingering passwords spread over account access locations on various computers, smartphones, etc.

Ideally you'd want all banks & financial institutions to broadly implement this since it could be a key differentiator (wrongly) to say "Hey you can use the same password forever with our bank!"

The other thing is dual authenitcation (Capital One does this) where you enter your account pasword and they text or call you with the 6 digit key code.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
5/25/2018 | 8:21:15 AM
Re: Passphrase over Password
I believe that complex passworeds, unique BUT EASY TO USER REMEMBER are the best solution.  Everyone has a set of hobbies that are unique to them.  There can be a ton of tech terms inside of these interests that are never EVER forgotten.  Now combine two tech terms of any kind or type with a weird character or two ----- and you have a great system.  Users can then vary a tech term list of sorts to keep a syntax running.  I have about 10 passwords of varying terms and levels that I use and can sort to desired taste.    

 

If you want total protection, chose an EXE file of any kind you like, get the MD5 HASH string and make that your password LOL - nobody will crack that one. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/24/2018 | 1:13:21 PM
Passphrase over Password
For this reason its imperative to think of utilizing passphrase over password. Passphrase: Sometimes I get sad when I hear passwords are still going to being utilized! Input: SIgswIhpasg2bU!

Make the passphrase easier to remember obviously but the premise is more security centric.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17534
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.
CVE-2018-17980
PUBLISHED: 2018-10-15
NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain privileges via a Trojan horse wintab32.dll file located in the same directory as a .nxs file, as demonstrated by a scenario where the .nxs file and the DLL are in the current working directory, and the Trojan horse code is execute...
CVE-2018-18259
PUBLISHED: 2018-10-15
Stored XSS has been discovered in version 1.0.12 of the LUYA CMS software via /admin/api-cms-nav/create-page.
CVE-2018-18260
PUBLISHED: 2018-10-15
In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The profile image in the User settings section can be run in the update / upload area via /admin/media/upload?actions=false.
CVE-2018-17532
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.