Pattern-based passwords are not secure – here is how you can block them
Password attacks work because users are predictable. However, it is not all their fault. The sheer number of passwords, each with their own set of requirements (length, case, and special characters), motivates poor practice. After all, it is easier to remember a predictable password. This predictability can manifest itself in the password composition (memorable word or phrase that starts with a capital letter, digits that follow a sequence or signify a recent year, and a special character, which will most likely be an exclamation mark), or a password inspired by the keyboard layout.
Qwerty: Infamous Keyboard pattern
Keyboard patterns are a visualization technique that can aid with password recognition. They are the obvious adjacent key movements, such as qwerty, as well as parallel sequences like 345ertdfg. Password patterns can appear complex. Take P)o9I*u7Y^ as an example. A closer look reveals its combination with a shift-pressing pattern, which will allow it to pass the complexity requirements of most password policies. Our team recently analyzed 800 million passwords from the Specops Breached Password Protection database to find the most common keyboard walks among compromised passwords. The worst offender was qwerty, which was found over 1 million times, although there were many other common password walks found too. The results really drive home how often users are choosing such weak passwords – and organizations are letting them. Read the full research into common password walks and how to stop them here.
Keyboard pattern as passwords = trouble
Just because these keyboard patterns do not appear in the English dictionary, does not mean they cannot be the target in a dictionary attack. Each password breach gives attackers access to more password compositions and patterns, which they will add to their extensive list of high-probability passwords. In a dictionary attack, this database of predictable passwords will run against various log-ins.
Organizations must change how they enforce password security. The latest recommendations from authorities such as NIST, and the NCSC, is to avoid complexity rules, and instead check passwords against known dictionary lists. After all, hackers are not the only ones who can take advantage of user predictability.
Eliminate predictable password patterns
Third-party tools, such as Specops Password Policy, allow organizations to ban common keyboard combinations and sequences from being used in the organization. Future password will be checked against the dictionary lists, preventing users from selecting pattern-based passwords that are susceptible to dictionary attacks. The tool can also be used to block other predictable patterns such as character substitutions, also known as leetspeak.
For more information about Specops Password Policy, click here.
(Last updated on October 30, 2023)
Stockholm, Sweden – April 19, 2018. Specops Software announced today the release of Specops Password Policy 6.8. The release enables IT departments to prevent users from circumventing the password dictionary by using character substitutions, also known as leetspeak. Leetspeak is a form of modified English that replaces letters with ASCII characters and numbers. It is…Read More
You are probably familiar with the basics of password security: Complexity is a necessity; and length equals strength. If you have a social media or email account, chances are your password meets their minimum length and/or complexity requirements. But, with data breaches and security flaws a regular occurrence in our digital lives, doing the bare…Read More