What the password quiz taught us

In celebration of World Password Day we ran a password quiz that presented participants with five pairs of passwords, and asked them to pick out the stronger one from each pair. The results? Only 12% of participants answered all the questions correctly. Here is what we have learned from the quiz results:

• Predictable password patterns are not easy to avoid

Between “soccer4ever” and “SoccerForever,” the latter is the stronger of the two passwords. Why? Because using capital letters in the middle of a password is less predictable than substituting characters. This is a tricky one that only 38% of participants answered correctly.

Passwords conforming to predictable patterns are passwords with character substitution (e.g., “soccer4ever”), follow keyword patterns (e.g.,”1qazxsw2”) or with numbers at the end (e.g., “Mikejones1960”). Password leaks have helped hackers identify these predictable formulas, allowing them to update their hacking algorithms to crack passwords more efficiently.

• Two thirds of participants knew that passphrases aren’t created equal

“Silverkalesugerhat” is more secure than “Ilovethisgamesomuch” because it contains a random combination of words that are meaningless together. People tend to choose passphrases in accordance with their distribution in natural language, which is why passphrases are more susceptible to password attacks when they contain commonly used sentences or quotations from books or movie titles.

We have established that passphrases are more secure than passwords. However, we caution against optimistic security estimates that passphrases take long enough to render attacks impractical. A good passphrase is one that strings together a list of random words such as “Try to cr@ck this browm1e.” And remember – longer is better when it comes to passphrases, ideally longer than 20 characters.

• Using passwords found in breach lists is as good as not having one

Even when your passwords are as complicated as “aXRhbGlhbiBoYWNrZXIgY3Jldwo=” and “WYH@19950329$wyh,” they can be easily compromised once they have appeared in a password breach list. Microsoft is taking the lead on banning simple passwords that appear in breach lists for Microsoft Azure Active Directory customers but this should be common practice for every authentication services. Specops Password Policy allows IT administrators to ban any passwords found in a leaked password list – options include creating a custom list and importing online dictionary lists provided by Specops.