More Password Analysis

keyboard

Earlier this week, we did a condensed analysis of military passwords.  Now, with a little more time and with a cool intern from UC Berkeley, we have done a bit more analysis.

Typically, password policies require a mix capitals, characters, and so on.  We were happy when several firms changed their password policies and required stronger passwords after our January 2009 report.  The lesson was to avoid:

  • Key board series:  qwerty
  • Number series: 123456
  • People’s Names:  Michael, Daniel, Jessica.

What our deeper military password analysis revealed was interesting.  It highlights how a good password policy can still be circumvented with patterns.  Clearly, there was a strong password policy in place as most had the required mix of numbers, letters and characters.  The top passwords were:

  • !QAZ2WSX
  • 1QAZ!QAZ
  • 1QAZ@WSX
  • ZAQ!2WSX
  • 1QAZ!QAZ2WSX@WSX
  • 1QAZZAQ!

Seem secure?  Think again.  Take the first password and type it on your keyboard:
We aren’t the only ones who are taking note.  Here’s a screenshot from a hacker forum where someone not as sweet as we are doing a similar analysis:

similar-analysis

The lesson?  Enforcing strong passwords means anticipating all kinds of key board sequences.  We haven’t found a comprehensive list of more complicated sequences yet (if you have one, please let us know).

What should be done?  We recommend the passphrase.  Wikipedia puts in nicely (emphasis ours): “Passphrases are generally stronger, and a clearly better choice in these cases. First, they usually are (and always should be) much longer—20 to 30 characters or more is typical—making some kinds of brute force attacks entirely impractical.”  More importantly, they are easier to remember and harder to crack.

Tags: