Pattern-based passwords are not secure – here is how you can block them

Password attacks work because users are predictable. However, it is not all their fault. The sheer number of passwords, each with their own set of requirements (length, case, and special characters), motivates poor practice. After all, it is easier to remember a predictable password. This predictability can manifest itself in the password composition (memorable word or phrase that starts with a capital letter, digits that follow a sequence or signify a recent year, and a special character, which will most likely be an exclamation mark), or a password inspired by the keyboard layout.  

Qwerty: Infamous Keyboard pattern

Keyboard patterns are a visualization technique that can aid with password recognition. They are the obvious adjacent key movements, such as qwerty, as well as parallel sequences like 345ertdfg. Password patterns can appear complex. Take P)o9I*u7Y^ as an example. A closer look reveals its combination with a shift-pressing pattern, which will allow it to pass the complexity requirements of most password policies. Our team recently analyzed 800 million passwords from the Specops Breached Password Protection database to find the most common keyboard walks among compromised passwords. The worst offender was qwerty, which was found over 1 million times, although there were many other common password walks found too. The results really drive home how often users are choosing such weak passwords – and organizations are letting them. Read the full research into common password walks and how to stop them here.

Keyboard pattern as passwords = trouble

Just because these keyboard patterns do not appear in the English dictionary, does not mean they cannot be the target in a dictionary attack. Each password breach gives attackers access to more password compositions and patterns, which they will add to their extensive list of high-probability passwords. In a dictionary attack, this database of predictable passwords will run against various log-ins.

Organizations must change how they enforce password security. The latest recommendations from authorities such as NIST, and the NCSC, is to avoid complexity rules, and instead check passwords against known dictionary lists. After all, hackers are not the only ones who can take advantage of user predictability.

Eliminate predictable password patterns

Third-party tools, such as Specops Password Policy, allow organizations to ban common keyboard combinations and sequences from being used in the organization. Future password will be checked against the dictionary lists, preventing users from selecting pattern-based passwords that are susceptible to dictionary attacks. The tool can also be used to block other predictable patterns such as character substitutions, also known as leetspeak.

For more information about Specops Password Policy, click here.