Pattern-based passwords are not secure – here is how you can block them
Password attacks work because users are predictable. However, it is not all their fault. The sheer number of passwords, each with their own set of requirements (length, case, and special characters), motivates poor practice. After all, it is easier to remember a predictable password. This predictability can manifest itself in the password composition (memorable word or phrase that starts with a capital letter, digits that follow a sequence or signify a recent year, and a special character, which will most likely be an exclamation mark), or a password inspired by the keyboard layout.
Qwerty: Infamous Keyboard pattern
Keyboard patterns are a visualization technique that can aid with password recognition. They are the obvious adjacent key movements, such as qwerty, as well as parallel sequences like 345ertdfg. Not surprisingly, qwerty was the fourth worst password in 2017, according to an analysis of five million leaked passwords by SplashData. In fact, it also made SplashData’s top 10 list in 2015 and 2016 list.
Password patterns can also appear ambiguous. Take P)o9I*u7Y^ as an example. A closer look reveals its combination with a shift-pressing pattern, which will allow it to pass the complexity requirements of most password policies.
Keyboard pattern as passwords = trouble
Just because these keyboard patterns do not appear in the English dictionary, does not mean they cannot be the target in a dictionary attack. Each password breach gives attackers access to more password compositions and patterns, which they will add to their extensive list of high-probability passwords. In a dictionary attack, this database of predictable passwords will run against various log-ins.
Organizations must change how they enforce password security. The latest recommendations from authorities such as NIST, and the NCSC, is to avoid complexity rules, and instead check passwords against known dictionary lists. After all, hackers are not the only ones who can take advantage of user predictability.
Eliminate predictable password patterns
Third-party tools, such as Specops Password Policy, allow organizations to ban common keyboard combinations and sequences from being used in the organization. Future password will be checked against the dictionary lists, preventing users from selecting pattern-based passwords that are susceptible to dictionary attacks. The tool can also be used to block other predictable patterns such as character substitutions, also known as leetspeak.
For more information about Specops Password Policy, click here.
(Last updated on September 7, 2022)
Press Release: Specops enables organizations to block leetspeak in passwords
Stockholm, Sweden – April 19, 2018. Specops Software announced today the release of Specops Password Policy 6.8. The release enables IT departments to prevent users from circumventing the password dictionary by using character substitutions, also known as leetspeak. Leetspeak is a form of modified English that replaces letters with ASCII characters and numbers. It is…Read More
Leetspeak passwords – predictable and crackable
Leetspeak enables users to create passwords that are easy to remember, and easy crack. By preventing users from utilizing character substitution during password creation, Specops Password Policy can guide users towards stronger passwords.Read More
Your password: separating the weak from the strong
You are probably familiar with the basics of password security: Complexity is a necessity; and length equals strength. If you have a social media or email account, chances are your password meets their minimum length and/or complexity requirements. But, with data breaches and security flaws a regular occurrence in our digital lives, doing the bare…Read More