Salted Hash: Phishing study reveals frightening password habits

LAS VEGAS – Passwords are a problem, and yet they’re the primary means of authentication used when at work or at home. Recently, Salted Hash examined 126,357 passwords for accounts compromised during Phishing attacks in 2016. What we discovered was both sad and frustrating.

The idea for this type of password study came about not too long after a vendor published a list of the “worst passwords” on the Web, which looked exactly like the list published the year before.

When lists like this circulate, the same set of questions come to mind: What if these passwords were collected from sources where the user didn’t care about the account? Do people really choose such horrific passwords? Instead of assuming the answer was a resounding yes, we wanted to examine some compromised records for ourselves.

To do this, Salted Hash collected Phishing logs that were circulating on the Darknet. The raw data was then sorted and compiled with Pipal (created by Robin Wood) and Passpal by T. Alexander Lystad.

The Phishing campaigns in our sample set targeted Microsoft, Apple, Google, Spotify, and PayPal accounts, as well as banking and social media logins. Some campaigns acquired hundreds, even thousands of victims over time, others were much smaller, but the base set of passwords used for this study represents four months of collection.

The hope was that we’d see a stronger selection of passwords that were nothing like the ones that are circulated in the “worst of” lists. After all, these are valuable accounts. But we were seriously wrong in our assumptions. The results are enough to make a security manager cry.

Steve Traynor, the art director for CSO Online, took the raw data Salted Hash collected and generated the graphic included with this article. In addition, he added the top 10 passwords from the massive data breaches at LinkedIn, Twitter, VK.com, and Badoo.com.

Jessy Irwin, a security researcher and password advocate, examined our findings and offered her opinions to Salted Hash.

The numerical passwords immediately stood out in her eyes. This, she said, makes it look as if people find PIN-style passwords more usable; though reusing simple PINs or readily available number patterns from keyboards is just as risky as using common, insecure passwords.

“More often than not, though, people choose simple passwords and number combinations to save time and to prevent getting locked out of an account or using data. What this suggests, however, is that this thinking is much more widespread and dangerous for the average user,” she said.

Is this a problem the security industry has created over time? Have we conditioned people to use poor passwords? The short answer is yes, according to Per Thorsheim, a security expert who founded PasswordsCon in 2010.

“The common knowledge of passwords is based on rather old assumptions, folklore, myths, etc.,” he said. Most of the advice people use to create passwords is outdated or irrelevant, and technically or logically wrong.

The logical and technical problems related to password creation exist mostly due to human limitations.

In the raw data collected by Salted Hash, the base words – or the word used to generate a given password – highlight another problem. Many of the base words in the collection represent names and locations, as well as other personal elements.

“When it comes to passwords, what people need to make a password usable and what machines need to make a password secure are two entirely different things. The ‘something you know’ parts of authentication tend to be the weakest factor because of the limitations of human memory, and how the brain works,” Irwin said.

“People are more likely to use names of significant others, teams they cheer for, or films they loved without even thinking about what might happen if other passwords in the database are the same as the one they just created. What works for computers— strong, long, random, unique passwords— is in direct opposition to how people work, and by pushing the needs of computers onto people, we end up with very, very weak passwords indeed.”

Special characters are another problem too, because there is little variation on what people select – if they use them at all. The characters below are the most common symbols in our set of 126,357 passwords, ranked from most common to least, going left to right.

! * ? $ # / & " + % ) ( [ = , ] ^ ; { > ' } é ` ~ |

Note: There is a blank space between ‘]’ and ‘^’.

“One thing that stands out in this dataset is that there are absolutely no special characters in any of the top passwords from these breaches,” Irwin said.

“While that may appear to be laziness on the part of users, all of these passwords would be incredibly easy to enter on a mobile device and would not require switching keyboards or complex keyboard gymnastics in a hurry. It’s incredibly important to remember that mobile password needs are different from desktop needs, and that much of the world is joining the technological age through mobile devices first. There is no way that this is not having an impact on password strength and security.”

Most of the passwords in the sample set were eight characters in length, which is expected given that most password policies require that as a minimum. But a close second was six characters.

“Password complexity guidelines are only meaningful if users use different passwords on every app,” commented Marc Boroditsky, VP and GM of Authy, a Twilio service.

Also, he added, it’s irresponsible to expect users to take on the burden of selecting unique complex passwords for every site. “That’s why other methods, such as two-factor authentication, should be implemented.”

Based on the data collected by Salted Hash, the longer the password, the more uncommon it became. But that doesn’t mean the longer passwords were better.

While only 3-percent of the passwords had 12 characters, they were comprised of easily cracked or guessed words and phrases. For example: ‘jamesbond007’ or ‘123qweasdzxc’

Ironically, most of the 12 character passwords would conform to many modern password policies that are used online or at the office.

“Password policies that allow for weak passwords like ‘Password1’ are not at all about security— these policies exist so that a box on a compliance form can be checked during an audit,” Irwin said.

So if the examples in our dataset are bad passwords, what makes a good password? Salted Hash asked Per Thorsheim for his thoughts, and the answer was rather simple: make it personal.

“Create a positive sentence that is easy for you to remember, something from your past that won’t change. Write it using spaces and everything else, like you would normally do,” he explained.

“If you have many passwords and can’t remember them all, write them down. That is still more secure than having the same simple password across multiple services. Several billion people can guess an easy password online, but very few can steal that piece of paper with your passwords on it.”