{"id":3198,"date":"2013-11-21T12:10:18","date_gmt":"2013-11-21T17:10:18","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=3198"},"modified":"2020-02-26T10:45:34","modified_gmt":"2020-02-26T15:45:34","slug":"10-worst-password-ideas-as-seen-in-the-adobe-hack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/10-worst-password-ideas-as-seen-in-the-adobe-hack\/3198\/","title":{"rendered":"10 Worst Password Ideas (As Seen In The Adobe Hack)"},"content":{"rendered":"

If you\u2019re a registered Adobe client, change your passwords now. They have been stolen and published on the Internet, someone even made a crossword puzzle<\/a> out of them. This is a good occasion to examine which passwords are better NOT to use.<\/p>\n

A recent Adobe breach<\/a> involved customers\u2019 data theft and will definitely have long-term consequences. Initially, Adobe stated that the hack affected about 3 million users. It turned out that the leaked database contained about 150 million records; moreover, stored passwords are poorly protected and could be recovered in their original form in many cases. As a result, Facebook required affected users to change their password<\/a> if they use the same password for the social network.<\/p>\n

Using a single password for different online services is a serious security issue. Even worse, millions of users make the same mistake when inventing a new password. Let\u2019s learn from these mistakes, taking the most popular passwords from the Adobe database as a recent example.<\/p>\n

1.\u00a0 \u201cPassword\u201d, \u201cqwerty\u201d and \u201c123456\u201d<\/h2>\n

Astonishingly, these very obvious passwords still top the popular passwords list after all these years. In the Adobe database, password \u201c123456\u201d takes first place with over 2 million users out of 150 using it.\u00a0 Second to it is the much more complicated password \u201c123456789\u201d, followed by the word \u201cpassword\u201d itself. 345 thousand users selected \u201cpassword\u201d as a password. Also popular was the keyboard sequence \u201cqwerty\u201d which holds 6th place.<\/p>\n

2. Company or site name or its variations<\/h2>\n

You might think that login \u201cJohn\u201d and password \u201cFacebook\u201d are original. They are not. Of course, a service name might not be present in the dictionaries being used by hackers to bruteforce a password. However, an experienced hacker will definitely add such passwords to his database (as we\u2019ve seen in the Adobe case). This principle is used in passwords ranked #4, #9, #15 and #16 in the Adobe top-100: \u201cadobe123\u201d, \u201cphotoshop\u201d, \u201cadobe1\u201d and \u201cmacromedia\u201d.<\/p>\n

3. Name=Password and other hints<\/h2>\n

Even though other providers might encrypt stored passwords much better than Adobe did, it\u2019s quite probable that a hacker will see accompanying fields in the database without extra effort. They have proven to be quite useful for password recovery. The fields in discussion are user name, email, password hint, etc.\u00a0 The biggest hit is a password, which is exactly the same as a user name. Other \u201csmart\u201d tricks are quite impressive as well. Some people write their passwords down in a password hint field, or provide such obvious hints as \u201c1 to 6\u201d or \u201cLast First\u201d.<\/p>\n

4. Obvious facts<\/h2>\n

Facebook is a favorite hacker tool. Having the email and user name of a victim, it\u2019s very easy to make a Facebook search and solve such password hints as \u201cdog\u201d, \u201cson\u2019s name\u201d, \u201cbirthday\u201d, \u201cwork\u201d, \u201cmother\u2019s maiden name\u201d, \u201cfavorite band\u201d and so on. About one third of all hints refer to family members and pets with an additional 15% quoting a password directly or almost directly.<\/p>\n

If you discovered some letter and digit sequence, which is very easy to memorize, abandon it \u2013 it\u2019s also convenient for hacking and most likely present in password dictionaries.<\/div>\n

5. Simple sequences<\/h2>\n

It seems that letters or digit combinations are endless. However, people use this power in a very limited way. They have very strong \u201chints\u201d in the form of the alphabet and keyboard in front of them. This way passwords like \u201cabc123\u201d, \u201c00000\u201d, \u201c123321\u201d, \u201casdfgh\u201d and \u201c1q2w3e4r\u201d are born. If you discovered some letter and digit sequence, which is very easy to memorize, abandon it \u2013 it\u2019s also convenient for hacking and most likely present in password dictionaries.<\/p>\n

6. Basic words<\/h2>\n

According to various researchers, from one third to one half of all passwords are simple words from the dictionary and they typically belong to 10 thousand of the most frequently used words of a language. Modern computers are able to try 10,000 passwords in a few seconds, that\u2019s why these passwords are totally unreliable. In the Adobe top list there are a lot of passwords of this kind:\u00a0\u201csunshine\u201d, \u201cmonkey\u201d, \u201cshadow\u201d, \u201cprincess\u201d, \u201cdragon\u201d, \u201cwelcome\u201d, \u201cjesus\u201d \u201csex\u201d, \u201cgod\u201d.<\/p>\n

7. Obvious modifications<\/h2>\n

To make dictionary-based bruteforce attacks harder, most services require users to set their password according to specific rules. For example: at least 6 characters, obligatory mixing of upper- and lower-case letters, plus digits and characters. As I wrote before, these measures are from the 20th century<\/a> and we must reconsider them today, but users made their way around those requirements already. Most certainly the first letter will become the only uppercase, while most popular number-based modification is an addition of \u201c1\u201d at the end of the password.\u00a0 In the Adobe database, these tricks are combined with obvious words, resulting in quite bad passwords like \u201cadobe1\u201d and \u201cpassword1\u201d. The most popular characters are exclamation marks and underscores.<\/p>\n

8. Obvious modifications-2 (1337)<\/h2>\n

\"leetspeek\" Thanks to the \u201cHackers\u201d movie<\/a> and other pop culture artifacts, a wider audience is now aware of \u201chacker speak\u201d LEET (1337), which features some letters being replaced by similarly looking numbers or characters and other basic modifications.\u00a0Making such replacements seems to be a good idea and passwords like \u201cH4X0R\u201d or \u201c$1NGL3\u201d are looking impressive. Unfortunately, they are not much more complicated than the obvious \u201chacker\u201d and \u201csingle\u201d, because special password bruteforcing apps feature a so-called mutation engine, which tries all the obvious modifications on each dictionary word.<\/p>\n

9. Energetic sentences<\/h2>\n

In the modern world, longer passwords are always better, thus a passphrase is considered a better protection than a password.\u00a0 However, there are multiple exceptions \u2013 very short and extremely predictable phrases. On the Adobe top-100 you can find \u201cletmein\u201d, \u201cfuckyou\u201d and \u201ciloveyou\u201d. Nothing to add.<\/p>\n

10 (en) Social security and other important numbers<\/h2>\n

Those passwords are harder to guess. However, hackers will definitely spend additional effort on finding such numbers, when they see a \u201cmy social security number\u201d type of password hint. When combined with a user name, birthdate and other Facebook-provided data, a SSN is usable for identity theft<\/a>, making this kind of password very easy to monetize.<\/p>\n

Hors concours \u2013 identical passwords<\/h2>\n

We can\u2019t find it in a single (Adobe\u2019s) database, but this mistake is as popular as using \u201c123456\u201d. I am talking about using the same password for multiple online services. It\u2019s quite obvious why it\u2019s very bad. If your (adobe) password becomes known to hackers, they can try your email\/password combination to all popular sites like Facebook\/Gmail and compromise not one, but many of your accounts. According to a survey, conducted by B2B international for Kaspersky Lab, 6% of users use a single password for all of their accounts, while 33% use only a handful of passwords. If the Adobe site was amongst the ones they use, now those users are at risk of hacking into their entire digital life.<\/p>\n

Obviously, all aforementioned mistakes are made because of one simple reason \u2013 today we typically use 5-10 online services and it\u2019s very challenging to remember 5-10 unique and complicated passwords. Luckily, there is a simple technical solution for this problem.<\/p>\n

Here is our solution:<\/p>\n