Pattern-based passwords are not secure – here is how you can block them

(Last updated on September 26, 2019)

Password attacks work because users are predictable. However, it is not all their fault. The sheer number of passwords, each with their own set of requirements (length, case, and special characters), motivates poor practice. After all, it is easier to remember a predictable password. This predictability can manifest itself in the password composition (memorable word or phrase that starts with a capital letter, digits that follow a sequence or signify a recent year, and a special character, which will most likely be an exclamation mark), or a password inspired by the keyboard layout.  

Qwerty: Infamous Keyboard pattern

Keyboard patterns are a visualization technique that can aid with password recognition. They are the obvious adjacent key movements, such as qwerty, as well as parallel sequences like 345ertdfg. Not surprisingly, qwerty was the fourth worst password in 2017, according to an analysis of five million leaked passwords by SplashData.  In fact, it also made SplashData’s top 10 list in 2015 and 2016 list.

Password patterns can also appear ambiguous. Take P)o9I*u7Y^ as an example. A closer look reveals its combination with a shift-pressing pattern, which will allow it to pass the complexity requirements of most password policies.

Keyboard pattern as passwords = trouble

Just because these keyboard patterns do not appear in the English dictionary, does not mean they cannot be the target in a dictionary attack. Each password breach gives attackers access to more password compositions and patterns, which they will add to their extensive list of high-probability passwords. In a dictionary attack, this database of predictable passwords will run against various log-ins.

Organizations must change how they enforce password security. The latest recommendations from authorities such as NIST, and the NCSC, is to avoid complexity rules, and instead check passwords against known dictionary lists. After all, hackers are not the only ones who can take advantage of user predictability.

Eliminate predictable password patterns

Third-party tools, such as Specops Password Policy, allow organizations to ban common keyboard combinations and sequences from being used in the organization. Future password will be checked against the dictionary lists, preventing users from selecting pattern-based passwords that are susceptible to dictionary attacks. The tool can also be used to block other predictable patterns such as character substitutions, also known as leetspeak.

For more information about Specops Password Policy, click here.


Tags: , ,

Back to Blog