Why we know your password and what you can do about it

3 Jun 2019 02:03 PM

Guest Blog by John Kearney of DXW highlights top security tips for password management.

Trying to make passwords more secure can often end up having the opposite effect, for two main reasons:

  1. When people are faced with complex rules — at least one uppercase letter, number, symbol etc. (we’ve all been there) they will do the simplest thing possible. Most users will capitalise the first letter in their password, or all of them, and add a “1” to the end. Sound familiar?
  2. Complex passwords made up of random generated characters are much easier for a computer to guess than for a human to remember.

The proof

For evidence of how people choose passwords, you need look no further than the 10,000 most common passwords discovered in security breaches, as published on Github or this page on Wikipedia. As I write, the second most common password is “password”,“Password” is number 176, “password1” is at 207, “PASSWORD” is at 710, and “Password1” checks in at 2968.

In Top of the Pops fashion (for those of you who are old enough), here’s the current top 20:

As for the relative ease with which a computer can guess a random string as opposed to a well-crafted passphrase (see more on using these below), XKCD tells that story better than we could.

We don’t do what we’re told, and that can cause big problems

No matter how many times people are told never to use the same password across many sites and services, most still do just that. It’s human nature to take the quickest and easiest option, and the one that means we won’t forget our passwords and get locked out.

When dxw cyber carries out attack simulations, we search published data breaches for details of known users to help us identify the passwords they use to log into other places. When we find their passwords, we try them out against their accounts in the system we’re targeting.

During a recent attack simulation, this simple password lookup — that requires no technical skills at all — gave us access to the entire system at the highest possible level.

So what’s the good news (or help, what should I do now)?

Once you understand how people interact with a system, and the reasons why the rules don’t result in the right kind of behaviour, you can take a different approach.

Some tips for individuals

As an individual you should:

Some tips for businesses

As a business, you should:


Finally, as an individual or a business, you should always enable two-factor authentication (2FA) when it’s available.

2FA means you need to provide two ways of proving your identity. It’s used all the time by organisations like banks, for example, to take money from a cash machine, you need the card and your PIN. To log into your online banking application, you need your account details and a one-use time-limited code, generated by a custom gadget or sent by text.

Once you’ve done all that, we probably won’t know your password (but you still need to watch out for phishing).

A passwordless future

Humans are not good at passwords, but computers are. So maybe the long-term solution is to get rid of passwords and replace them with stronger ways of proving your identity, such as passwordless “magic” links or QR codes. We also expect to see an increasing use of standards like WebAuthn, which can be used to help prove your identity at the touch of a button, while also protecting you from phishing attacks.

We’ll blog more about this soon.

P.S. If you want to hear directly from Glyn Wintle, our CTO, about all things password related, here’s his talk at Ignite London 7.