It’s October — Time for Another Blog About Weak Passwords

Every year, the month of October brings us reassuring traditions. Football on the weekends. Companies making pumpkin spice-flavored things that really should not be pumpkin spice-flavored. And, because it is Cybersecurity Awareness Month, another collection of blogs and infographics about the importance of creating strong passwords and the risks of weak ones.

“Why do you keep writing blogs about weak passwords?” you may be asking as you take a swig of pumpkin spice soda. The answer is we keep writing blogs about weak passwords because people keep using them. The most common passwords in 2022, according to SplashData, an online security firm that keeps track of this sort of thing, were:

1. qwerty
2. password
3. 1234567
4. 12345678
5. 12345

SplashData’s most common passwords in 2012 — ten years ago — were:

1. password
2. 123456
3. 12345678
4. abc123
5. qwerty

Not much improvement in the last decade, unless you are a big fan of “qwerty”. So yes, this is another blog about passwords. Rather than simply tell you that you need a strong password, though, this blog explains in more detail some of the tools and methods that hackers use to crack and exploit your weak password, which may help you see just how unprepared for the challenge “12345678” truly is. We’ll also provide some tips to level up your password power.

Your Password Vs. A Brute

If your password is compromised, it will most likely happen as a result of a brute force attack engineered by a cyber criminal of some stripe. As the name suggests, brute force attacks are not elegant — they use a series of strong-arm techniques to try to crack your password. What you may not realize is the variety and volume of brute force options available. When it comes to staying safe online, your password is even more vulnerable than you might suspect.

A simple brute force attack is the most basic approach, and something we do ourselves when we’re trying to guess a password that we’ve forgotten. Without any tools or automated scripts, the hacker will attempt to log into a system by guessing the username and password combination. In addition to the most popular passwords shown above, a quick scan of your publicly available social media can help a hacker make educated guesses based on your favorite sports teams, your pet’s name, and so on. 

More sophisticated cyber foes will automate their brute force attack to speed it up and increase the likelihood of hitting the right password. Automated password cracking tools will try every possible combination of letters, numbers, and symbols. The most advanced brute force tools are freely available to ethical hackers for penetration testing, and to unethical hackers for dirty deeds. They can attack across multiple platforms and protocols at lightning speed, sniff out easy to guess passwords and swap out letters for similar special characters as part of their probing. (This means using “p@ssword” instead of “password” is not fooling anybody.)

Throwing the Book at Your Password

A more advanced form of brute force password hacking is known as a dictionary attack, ironically defined at this link by dictionary.com. Unlike a brute force attack, a dictionary attack focuses specifically on an exhaustive list of common words and phrases used for passwords. 

The most popular password list for a dictionary attack is the legendary rockyou.txt file. It’s a compilation of more than 14 million unique passwords exposed when RockYou, a social app developer for MySpace (yes, I said MySpace) and other social media sites, was hacked back in 2009.

RockYou’s security policies were a perfect storm for a cyber criminal: a company with 32 million registered users storing their member passwords in plain text — with additional plain text passwords to partner social media sites — on a server that was not patched to correct an SQL vulnerability over 10 years old. The complete list was published, and remains the gold standard for dictionary attacks by ethical and unethical hackers alike. If your password is an actual word, it is probably in the rockyou.txt file.

A Pot of Passwords at the End of the Rainbow

As compromises like this became common, systems that stored user passwords — especially after the RockYou debacle — made it a point to encrypt them with a hash to better protect against cyber criminals. In response, brute force tools like rainbowcrack and hashcat offer “rainbow tables” that can decode the hashes into the plain text passwords if the hacker can get access to the list of hashed passwords.

The use of rainbow tables has decreased as security personnel began “salting” their hashed passwords, meaning they add in additional random data to the password hash to make rainbow tables much less effective. Of course, databases that are not salting their hashes are still susceptible. 

Turkeys Aren’t the Only Thing Getting Stuffed

A special type of brute force attack, credential stuffing, is only a risk if you reuse your passwords across multiple applications. When your user data is compromised — through any of the dozens of high-profile data breaches that have happened over the last decade — your username and password are now generally available throughout the dark web. 

Cyber criminals will purchase lists of compromised credentials and then brute force those sets of usernames and passwords across dozens of other applications and sites. If you use the same credentials for another site (and according to a 2021 study by the Identify Theft Resource Center, 85 percent of users admit that they do), malicious hackers just need to find those sites, and then they have access to your accounts on those other platforms.

It Is Time For Your Passwords to Hit the Gym

While Apple, Google and Microsoft have been working on standards to eliminate passwords altogether, that glorious future is probably still several years away. In the interim, your data is at risk right now, so here are five steps you can take to beef up your password security today.

1. Take a Timeout — Brute force attacks rely on a tremendous number of attempts to find the right credentials, so limit the number of login attempts allowed on corporate systems before a mandatory timeout or some other limiting function kicks in to slow down the adversary.
2. No Pain, No Gain — Don’t make it easy for cyber criminals. Avoid personal information in your password, like your birthday, your pet or your child’s name, or your street name. Don’t use repetition for passwords you change often, like adding “+1” to a numerical password. 
3. MFA All Day — Enable multi-factor authentication (MFA) on all of your personal and professional accounts. The easiest way to strengthen a weak password is to not rely solely on a weak password. A second method of verification puts control of your account solely in your hands (or, more likely, your phone’s hands.)
4. Eat Your Veggies — If you can’t use multi-factor authentication, strong password policies are a must. Use long strings of numbers, letters and special characters in a passphrase or non-word format, even though they are not easy to remember. Update passwords often, and don’t reuse them. 
5. Get a Manager — The easiest way to keep track of passwords that are appropriately strong and long is to use a password generator or a password manager. There are several excellent low-cost or free password managers out there that will keep your data secure and your memory uncluttered. 

Cybersecurity Awareness Month 2022 is the perfect time to finally take care of your weak password problem once and for all. If you do, when you are cruising the web and eating your pumpkin spice potato chips next October, you’ll be able to skip the 2023 version of this blog and keep on crunching.

Follow Motorola Solutions on Facebook, LinkedIn and Twitter for more #CybersecurityAwarenessMonth tips to #BeCyberSafe.