I Bet I Can Guess Your Password...
Updated: Oct 23, 2022
Why your password is probably easier to guess than you think.
What? But how can that be?
Hey everyone, it’s Roby from CYBR again!
No, that headline was not clickbait. Well, not entirely! And I’m not talking about the person whose work email password is just “password” (if that’s you, setting up a strong password is the least of your problems). I’m talking about people who actually think their password is secure because they followed the password policy instructions and added symbols and numbers to their passwords.
How could it possible to guess my password ?
It’s rather easy if you think about it. As human beings, we are quite predictable when it comes to many of the decisions we take in our day-to-day lives. Research shows that human behaviour is up to 93% predictable, meaning that many of the daily decisions we take are, to a certain extent, are very much predetermined. From deciding which shampoo you buy, which pair of socks you put on, or when/where you travel; if our behaviour can be anticipated in so many areas of our lives, could we go even further and assume that the same applies to very private and personal actions such as passwords? Let’s take a look.
Password Data Breach
For starters, there are many data breaches you can analyze to discover common password habits (LinkedIn, Canva, RockYou, Yahoo!, Facebook, and the list goes on). Please look into it out for yourself, and you can even discover if your password has been leaked online here.
So while you might think that adding a number or a symbol makes your password more secure, you'll be surprised to learn that sometimes it works to your disadvantage.
On Cybersecurity Policies
Organizations have security policies that (should) include password policies meant to increase the organization’s security by forcing employees to create more complex passwords. But since these are blanket measures, and people are predictable, what ends up happening is that everybody responds to the password policy in the same way.
A classic password policy usually includes several requirements:
1. “You need to add a number to your password”
Sure, but what everyone ends up doing is adding a 1 at the end of their password, or a year (for example, 1892 – this is for all you Liverpool fans). Did you know that 20-30% of people add the number 1 at the end of their password? Talk about predictable.
2. “You need to add a symbol to your password”
Sure, let’s add a symbol. People usually go one of two ways here:
Either they change a character in their password to a symbol (for example, a to @ or s to $).
Or they add a symbol at the end.
3. “You need to make your password at least 8 characters long”
Sure, let’s make it 8 characters long – and ONLY 8. What happens here is that people usually see the number (in our case, 8) and don’t think about exceeding that length. Between 30% and 45% of users choose a password that is the minimum required length.
Password Safety Exercises
My name is Mark Andersson, and our password policy looks like this: password should be at least 8 characters long, with at least one uppercase letter, one lowercase letter, a number, and a symbol. Then my password will look something like this: M@rk@ndersson1. Do you see what I did there? Easy enough to remember, but complicated enough that others can’t guess it.
Or can they?
Remember the beginning of the article when I said I could guess your password?
Well, even though I can't literally guess your exact password, I can get really close. And using some free online tools, I can even get a match.
All I need to know is your email address and a bit of personal information about you, such as your birth year, the names of your loved ones, and so on. Furthermore, I can search whether your email address has been breached. If it has, then your hashed password exists somewhere online for hackers to sell. With that, I can create a dictionary attack using either John the Ripper or HashCat, based on the information I had before. If that doesn’t give me your password, it will at least get me really really close.
Update your password if your answer to any of these is YES!
Now, let’s try another exercise. I will ask you some questions, and if your answer to any of these is YES, then you need to change your password to a better one.
Is your password a word? (no matter the language)
Did you do a classic character swap? (a-@, e-&, s-$, i-1, etc.)
Do you have the number 1 at the end of your password?
Do you have a four-character number at the end of your password?
Is your password less than 14 characters? (14 is currently considered the new standard)
Since it’s October (a.k.a. security month), share this with your coworkers and see what kind of people they are – do they think their passwords are safe? Or is their password simply… password?