RSS
Translated by
2020/06/05 08:59:45

Passwords

.

Content

The most popular passwords

2019

"Rating of 2019: 12345 - leader

Specialists[1] published the list of the most widespread and least safe passwords. Experts used the database containing about 500 million which flowed away in 2019 passwords and ranged them in popularity.

Three the most often used passwords appeared 12345, 123456 and 123456789 which were revealed in the database in total 6,348,704 times. These passwords are extremely unreliable and completely predictable, allowing malefactors it is easy to crack accounts in the way brute force attack.

The list of 100 worst passwords is given below:

12345
123456
123456789
test1
password
12345678
zinch
g_czechout
asdf
qwerty
1234567890
1234567
Aa123456.
iloveyou
1234
abc123
111111
123123
dubsmash
test
princess
qwertyuiop
sunshine
BvtTest123
11111
ashley
00000
000000
password1
monkey
livetest
55555
soccer
charlie
asdfghjkl
654321
family
michael
123321
football
baseball
q1w2e3r4t5y6
nicole
jessica
purple
shadow
hannah
chocolate
michelle
daniel
maggie
qwerty123
hello
112233
jordan
tigger
666666
987654321
superman
12345678910
summer
1q2w3e4r5t
fitness
bailey
zxcvbnm
fuckyou
121212
buster
butterfly
dragon
jennifer
amanda
justin
cookie
basketball
shopping
pepper
joshua
hunter
ginger
matthew
abcd1234
taylor
samantha
whatever
andrew
1qaz2wsx3edc
thomas
jasmine
animoto
madison
0987654321
54321
flower
Password
maria
babygirl
lovely
sophie
Chegg123

Among 21 million stolen accounts only 4.9 million unique passwords are revealed

On October 30, 2019 it became known, among 21 million stolen accounts researchers from ImmuniWeb company detected only 4.9 million unique passwords, demonstrating that many users use identical or similar passwords. Most often use simple passwords in the technology industry (passw0rd, 1qaz2wsx, career121, abc123 and password1), in financial (456a33, student, old123ma, welcome and 123456) and health sector (Exigent, password, pass1, 000000 and 123456). Read more here.

DeviceLock studied the most popular passwords in the western segment and Runet

On April 23, 2019 it became known that the DeviceLock company is the Russian producer of the systems of fight against date leaks, analyzed 3.5 billion compromised pairs the login password entering 7 collections with a total amount of 975 GB published by hackers since the beginning of 2019.

Within the research the most frequency passwords in different segments were selected. In particular, entered ten the most popular passwords: 123456, 123456789, qwerty, password, 12345, qwerty123, 1q2w3e, 12345678, 111111, 1234567890. The most popular Cyrillic passwords became: I (the only one-symbol password), the password, ytsuken (in 2018 taking the second place in rating), love, hi, love, Natasha, maxims, Andrey, the sun.

At the same time shares weak (consisting only of letters or only of digits) and the strong passwords (including digits, letters and special characters) practically did not change and made 42% and 3% respectively. Also there was invariable a share of the passwords containing less than 7 characters which made 20%

For the logins representing the postal addresses, the most popular services at the users who lost passwords of steel: mail.ru (in 2018 taking the 4th place), yahoo.com (the leader of the rating of 2018), hotmail.com, gmail.com, rambler.ru (which rose to the 5th place from the 7th in 2018), yandex.ru, bk.ru, aol.com, qq.com and list.ru.

According to the founder and the technical director of DeviceLock Ashot Oganesyan, the growing number and leaks as such and use of weak passwords, in particular, says about what, despite all educational efforts of participants of IT industry, users continue generally to trifle of the choice of passwords.

File:Aquote1.png
In corporate systems where there is an opportunity to set strict requirements to the password, the situation improves. But where there is no automated control, users write exactly that at them in the head. And there "hi, I love, Natasha". At the same time cracking, for example, of an online office in unimportant service allows to reach quickly afterwards and more important systems, including e-mail or the messenger.
Oganesyan Ashot, the technical director of DeviceLock (before Smart Line)
File:Aquote2.png

"Rating of 2017: 123456 - leader

According to Bleeping Computer, came experts of the Californian company SplashData (releases password managers, including TeamsID and Gpass) according to the results of the analysis of millions of passwords which appeared in Network as a result of different leaks to such conclusion.

"123456" is very unreliable password, but the others in the list of hundred worst passwords of 2017 it is not better. Sports terms (football, baseball, soccer, hockey, Lakers, jordan23, golfer, Rangers, Yankees), brands of cars (Mercedes, Corvette, Ferrari, Harley) and expressions enjoy wide popularity (iloveyou, letmein, whatever, blahblah).

Anyway, true leaders of the list of the worst passwords are names: Robert (#31), Matthew (#32), Jordan (#33), Daniel (#35), Andrew (#36), Andrea (#38), Joshua (#40), George (#48), Nicole (#53), Hunter (#54), Chelsea (#62), Phoenix (#66), Amanda (#67), Ashley (#69), Jessica (#74), Jennifer (#76), Michelle (#81), William (#86), Maggie (#92), Charlie (#95) and Martin (#96).

The first 25 passwords from TOP 100 of the worst passwords of 2017:

1 - 123456
2 - password
3 - 12345678
4 - qwerty
5 - 12345
6 - 123456789
7 - letmein
8 - 1234567
9 - football
10 - iloveyou
11 - admin
12 - welcome
13 - monkey
14 - login
15 - abc123
16 - starwars
17 - 123123
18 - dragon
19 - passw0rd
20 - master
21 - hello
22 - freedom
23 - whatever
24 - qazwsx
25 - trustno1

"Rating of 2016: 123456 - leader

In January, 2017 it became known of what 123456 remains the password, most popular in the world. It is said in the research published by Keeper Security company. According to researchers, in 2016 not less than 17% of Internet users use or used this password in the most recent past.

10 million published in Network after different large-scale cracking became an object of research in total. 123456 won first place in popularity. On the second — "more difficult" password 123456789, on the third — "legendary" qwerty. Meet 111111, 123123, 123321, google, 987654321 and also much other "most difficult" combinations which are selected "at random".

Password 123456 remains to the most popular in the Internet

Though users — the first who should be accused for such neglect security bases however a part of responsibility lies also on owners of the websites who do not try to introduce stricter rules for passwords and allow easily guessed or selected combinations.

File:Aquote1.png
We can criticize chronic inability of users to apply difficult passwords. Eventually, it to their own advantage. However the big share of responsibility lies on owners of websites which do not enter policy of forced complication of passwords even at the basic level. It is simple to make it, however... much all the same — researchers claim.
File:Aquote2.png

In the publication Keeper Security one more interesting part is specified. At the list of the most popular passwords there are such combinations as 18atcskd2w and 3rjs1la7qe. These passwords look accidental, but the frequency of their use shows that it not so.

According to researchers, bots for automatic registration of new accounts in mail services serially use these passwords. These accounts then are used for spam and a phishing.

Most likely, it means that providers of mail services do not make sufficient efforts for fight against bots: identical "accidental" passwords are an explicit reason for serious suspicions. [2]

"Rating" of 2015: 123456 - leader

SplashData represents a top of the most used passwords annually. The company obtains information from sources which "merge" someone else's passwords to the most various platforms on the Internet. In 2015 SplashData analyzed 2 million different passwords, having compared results with 2014.

The first and second lines, as well as in previous year, were occupied by the passwords "123456" and password. The digital 12345678 set rose to the third place, having displaced simpler "12345". The well-known qwerty also rose by one line, having taken the fourth place.

As for "intelligent" passwords, names of sports (football and baseball) remain are so popular. Also among "beginners" in the list there were passwords solo and starwars which are unambiguously sending to an exit of continuation of the film saga "Star Wars". They took the 23rd and 25th places of a top respectively.

"Rating" of 2014: 123456 - leader

In September, 2014 in Network the text file from 1.26 million by logins and passwords from accounts of "Yandex" is published. The company claims that it is not result of cracking or leak. Users counted that the password "123456" meets in the file about 38 thousand times, "123456789" — about 13 thousand times, "111111" — about 9.5 thousand, and "qwerty" — about 7.7 thousand. Popular passwords were also among "7777777", "123321", "000000", "666666", etc.

"Rating" of 2013: 123456 gains the lead

In 2013 the word "password" stopped being the most popular password among Internet users, the SplashData company publishing the annual list of the worst passwords Worst Password reported.

The combination of digits "123456" won superiority from the leader of the worst passwords of the word "password" which fell by the second place in popularity. Before "password" headed rating two years in a row - in 2011 and in 2012.

On the third place there was a combination "12345678". The top ten also included the following passwords: "qwerty", "abc123", "123456789", "111111", "1234567", "iloveyou" and "adobe123".

Existence of the password "adobe123" in the top ten is connected with the largest leak in the history as a result of which these 150 million users of Photoshop developer, Adobe Systems companies were revealed.

"Rating" of 2012: Password - the leader

The global report on security of Trustwave company of 2012 is devoted to vulnerable elements in information security of the company. Authors of the report investigated more than 300 incidents in 18 countries which happened in 2011.

The report focuses attention on the continuing growth of cyber attacks and also to increase in number of malefactors in the field of information security.

The majority of incidents arises in the investigation of organizational and administrative problems. During the research it was revealed that 76% of cases of violations happened because of vulnerability of a security system of the departments responsible for system support and development of the company.

The most part of a research is devoted to a problem of use of weak passwords. According to specialists of Trustwave, 80% of incidents take place in the investigation of weak passwords. Weak passwords continue to remain the main weak spot used by malefactors both in large and in the small companies.

Upon, use of weak and standard passwords facilitates work of hackers for penetration into information systems. Occasionally criminals do not need use of the difficult, thought-over methods for cracking. According to Trustwave company, the most used password in network is 'Password1' (parol1). In a research it is mentioned that application of standard passwords is inherent also during the work with servers, network equipment and different devices of users.

The Trustwave company provides the list of the most used passwords in the research. The English word 'Password' (password) is used in 5% cases, and the word Welcome (greeting) in 1.3% of cases. It is also worth paying attention to use of seasons and dates. Not use similar passwords and their options:

  • Password1
  • welcome
  • 123456
  • Winter10
  • Spring2010

Also one of problems is that many devices and applications are used with the initial standard passwords often giving completeness of access rights, the study says.

"Rating" of 2011: Password - the leader

The SplashData company specializing in problems of information security in November, 2011 prepared the "rating of 25 weakest passwords of 2011" made on the basis of the list of millions of real passwords stolen by hackers and published on the Internet. "Top-25" SplashData made following from them:

  • password,
  • 123456,
  • 12345678,
  • qwerty,
  • abc123,
  • monkey,
  • 1234567,
  • letmein,
  • trustno1,
  • dragon,
  • baseball,
  • 111111,
  • iloveyou,
  • master,
  • sunshine,
  • ashley,
  • bailey,
  • passw0rd,
  • shadow,
  • 123123,
  • 654321,
  • superman,
  • qazwsx,
  • michael и
  • football.

That your password did not appear in the similar "list of a shame", in SplashData recommend to think out the strong passwords containing letters, digits and special characters and if it is difficult to you to remember them, then it is possible to use significant phrases in which spaces are replaced with the sign "_". It is not recommended to use the same password on all online services. It is also possible to address services of any management system for passwords, for example, LastPass, Roboform, eWallet, SplashID or free KeePass. These systems can "remember" a set of passwords of any complexity for the user.

Security of a user password

2020: Rostelecom: 80% of the Russian companies do not observe basic requirements to passwords

On June 4, 2020 the Rostelecom-Solar company reported that based on the conducted research about 80% of the companies do not follow basic rules of password protection. At the same time practically in each tested corporate network specialists in the analysis of security managed to receive the privileges of the administrator. It would allow the real cybercriminal is reserved to develop the attack, with high probability capable to lead to theft of financial resources or confidential information.

Experts warn: the shortcomings connected with passwords can lead to a complete compromise of internal network and leakage of confidential data, crucial for the organization. Especially dangerously to the fact that operation of such shortcomings does not require from malefactors of special technical means and allows them to remain long unnoticed in corporate network.

The research basis Rostelecom-Solar was formed by the data obtained by experts of the company during the cyberexercises, testings for penetration and projects according to the analysis of security of customers from the banking sector, the production area, information technologies, information security and others. Simulation of the attacks assumed two scenarios: penetration into corporate network from the outside and also simulation of actions of the internal violator.

The passwords set by default, the weak and easily selected passwords of the user accounts (for example, "admin/admin", "admin/12345", etc.) and also lack of blocking of accounts were the most widespread error revealed at external testing for penetration that allows to carry out attacks on selection of passwords.

The main shortcoming detected at internal testing for penetration – use by employees of identical passwords of accounts with the different rights. For example, for the purpose of security two accounts are, as a rule, issued to system administrators: user in which it works by default, and exclusive administrative, used as required. However often administrators in both cases put identical passwords that nullifies the taken security measures. Similar shortcomings experts operate Rostelecom-Solar in most the studied corporate networks.

One more widespread error – storage of credentials on public resources in corporate network or on PCs. For example passwords in group politicians or the passwords written by the non-management employee in text files on the worker stations. In such situation even accidental hit of the malware on the machine of one employee becomes critical threat of security of all organization. If the malefactor gets on the machine of the user and finds such document, he instantly receives management of exclusive accounts, getting deep into the companies.

Regarding the organizations shortcomings of password politicians for corporate accounts are revealed. In particular, requirements longwise of the created passwords and to existence of special characters in them are not imposed to employees (lowercase and uppercase letters, digits, signs). A number of shortcomings is connected with the frequency of change of passwords: such requirement in some companies is absent, and in others is excessively strengthened (for example, change of the password every month) that usually provokes employees to use too simple combinations of characters and to write them on unreliable carriers.

File:Aquote1.png
"The basic reason which conducts to similar shortcomings is a human factor. The staff of the companies often has insufficient cyberliteracy and as a result tries or to simplify passwords, or stores them in open access: in the file on the computer or on a sticker near the monitor. On the other hand, system administrators occasionally monitor insufficiently how credentials are stored, or allow creation by users of weak passwords. Quite often at an institution of new accounts in them the simple default password which is long not changed then by default is established",

'Alexander Kolesov, the head of department of the analysis of security of Rostelecom-Solar company noted'
File:Aquote2.png

Solve a problem, according to experts of the company, it is possible introduction of two-factor authentication of users. However because of complexity of the organization and high cost of service many companies of it do not do. More available option is training of employees in bases of cyberhygiene: an explanation of rules of creation of reliable passwords and their safe storage, including using special bases and programs.

The number of the users attacked by programs for theft of passwords in 2019 increased by 72%

According to the statistics of Kaspersky Lab, in 2019 in the world the number of the users attacked by programs for theft of passwords — considerably grew by 72%. Announced this Kaspersky on January 28, 2020. In total products of the company reflected the similar attacks in devices of nearly two million users. Programs for theft of passwords are able to take information directly from browsers. It can be including logins and passwords to different accounts, the saved data of payment cards and contents of forms for autocompletion.

Besides, in 2019 the number of phishing attacks during which malefactors, as a rule, try to catch personal and payment data of users considerably grew. During this period of the solution of Kaspersky Lab monthly prevented on average 38 million attempts of transition of users to fraudulent websites. Phishers watch closely the news agenda and use the interest of public in different important events and celebrities, thinking out officially looking baits and cunning forcing to click the person on the malicious URL or to leave personal data.

File:Aquote1.png
The number of the data generated by users constantly grows, as well as their value for malefactors who, in particular, sell someone else's personal information at the closed forums. For gaining access to assets different methods, including programs for theft of passwords and a phishing are used. If you found out that your data from any service flowed away in network, it is necessary to change the password for an input in the account at once. There are also basic rules which observance helps to reduce risks from possible leaks and malicious use are given,
comments Tatyana Sidorina, the senior content analyst of Kaspersky Lab
File:Aquote2.png

To protect confidential information, Kaspersky Lab recommends to users:

  • not follow the suspicious links on social networks, messengers and mail;
  • set the reliable protective solution, such as Kaspersky Security Cloud which has function of verification of the account and notifies if data flow away in network;
  • think up reliable passwords for all the accounts (from 12 characters, with letters in the different register, digits and special characters) and approximately every three months to change them and also to store passwords competently — not to write on a leaflet or in phone, and to use special password managers;
  • where it is possible, to include multi-factor authorization;
  • before installing the program, to study the user agreement — it contains information on how the application will address with personal data;
  • provide to applications access only to those functions which really are required. If, for example, the application small lamp requests access to the microphone or the camera - it is an occasion to prick up the ears;
  • try the Privacy Checker online tool – the website on which descriptions of privacy settings and confidentiality are collected.

"ji32k7au4a83" meets in 141 leak

On March 7, 2019 it became known that despite the seeming reliability, the password "ji32k7au4a83" meets in 141 leak.

At first sight, "ji32k7au4a83" seems much more reliable password in comparison with popular "qwerty12345". Because of randomly the located characters can seem that "ji32k7au4a83" is generated by automatic system like a password generator of the browser or a password manager. Nevertheless, this combination of characters is used as credentials much more often than can seem.

According to the search system HaveIBeenPwned allowing users to learn whether their credentials in any leaks meet, "ji32k7au4a83" contains in 141 flowed-away database. The first the attention to it was paid by the engineer Robert Ou. Through Twitter he asked users a question why this combination meets so often though at first sight it seems absolutely accidental.

File:Aquote1.png
Task: explain why so occurs and as this password can be cracked.
Robert Ou
File:Aquote2.png

The answer was very simple – "ji32k7au4a83" is not an accidental symbol set at all. The matter is that on Taiwan for studying of Chinese the phonetic alphabet of Zhuyin fukhao or bopomofo is used. If to include on the keyboard the layout bopomofo and to type in Chinese "my password", "ji32k7au4a83" will turn out.

This case shows that issues with security can be touched on any language in the world, and Chinese is not an exception[3].

Whether we reached the extreme number of passwords?

Carried out in Great Britain Experian companies which results it published on August 3, 2017 revealed the growing gap between generations in how people manage the accounts. Millenials are exposed to bigger risk of plunder of personal data as put convenience above security. Different age groupes differently behave in Network: some are ready to feel discomfort, but to feel protected, others neglect security measures, without wishing to leave "a comfort zone".

File:Aquote1.png
The research Experian once again showed that people of different generations have the features of use of the Internet and management of accounts, passwords and logins — Natalia Frolova, the marketing director of Experian in Russia and the CIS countries noted. — The younger generation regards as of paramount importance convenience and, as a rule, has no more than 5 unique passwords for all the accounts. Besides, such users usually come into multiple accounts using the same login of social network. At the same time they probably do not realize that the aspiration to convenience puts at risk their personal information. Rapid growth of plunders of personal data which victims are representatives of this age group is noted.
File:Aquote2.png

More than a half (55%) of respondents use the same password for several accounts. Фото:www.techregar.com

As show statistical data of the Hunter system from Experian, the number of the victims of plunder of personal data among users aged up to 30 years increases in Britain every year for 5%, and those who live in different types of hostels where for Internet connection at once several people constantly use one device are especially vulnerable. In Britain concerning this group every third fraud connected with plunder of personal data is committed.

The opposite line of conduct was selected by the senior generation. Representatives of this category create the separate password for each account much more often, caring for data protection even if to the detriment of the convenience. Every fourth British reported that he uses 11 or more passwords.

Certainly, difficult constantly to keep such information volume in memory, noted in Experian. It is no wonder that a considerable part of people are more senior than 55 years is forced to make great efforts to remember the registration data. Such overvoltage of memory — the growing problem: 4 of 10 respondents were recognized that they are forced to use service of storing of passwords that to forget nothing. Permanent reminders that it is better not to write passwords and to remember by heart, promote increase in vigilance, but, at the same time, and increase a stress. More than a half (55%) of respondents use the same password for several accounts.

The research Experian also established that there is a confusion in understanding of what is an account — every third respondent (31%) was recognized that he does not know it, and another 61% selected different determinations. Three from five British (61%) not always understand with what they express consent, ticking off at registration of a new profile on the Internet, and every ninth (11%) never understands it.

File:Aquote1.png
Typical British has on average 26 accounts, or logins, and from 6 to 10 regularly used passwords — Natalia Frolova added. — Today the convenience purchases paramount value for users. Therefore the familiar and often causing disappointment process of recovery of the password in which for authentication it is necessary to answer on several "confidential questions" can lose relevance. Perhaps, we already reached the extreme number of passwords.
File:Aquote2.png

For prevention of theft of personal data Experian recommends:

  • Not react to phone calls and electronic messages from unknown persons.
  • Create separate passwords for different accounts — in particular for e-mail and Internet bank.
  • Think up the reliable passwords consisting of three any words — it is possible to make them, adding digits and characters and also letters in an upper and lower case.
  • When using public networks Wi-fi not to visit the websites where it is necessary to enter the password (for example, into the bank, social networks and e-mail) and not to enter personal information, such as details of the bank card.
  • Always to load the latest software on phone, the tablet or the computer. It will increase your protection against malware.

Theft of passwords – the main risk of security of corporate data

Researches show that about 40% of all users select passwords which are easy for guessing automatically. Easily guessed passwords (123, admin) are considered as weak and vulnerable. Passwords which very difficult or cannot be guessed are considered as more resistant. Some sources recommend to use the passwords generated on resistant MD5, SHA-1 hashes from the normal pseudorandom sequences.

Theft of passwords – the main risk of security of corporate data. Experts of anti-virus company ESET (Slovakia) warn about it in the summer of 2014. 76% of network attacks for the companies became possible because of the unreliable or stolen passwords (The ministry of an entrepreneurship, innovations and crafts of Great Britain (Department for Business, Innovation and Skills) and PWC). The average damage from loss of information depends on type of the attack and the current legislation in the field of data protection and reaches 199 euros for one account. At the same time such parameters as idle times in work of personnel, decline in production, reputation losses and loss of assets, including, intellectual property items, do not give in to calculation (Ponemon Institute: 2013 Cost of Data Breach Study: Global Analysis).

Be the focus of attention of cybercriminals – the company of small and medium business. They are not always the main target, but often become the victims because of the available violations of a security system. According to some information, 67% of cyber attacks are directed to the small companies, at the same time 76% of the attacks are unplanned. 75% of the attacks are undertaken by criminals for the sake of a pecuniary benefit (Verizon Data Breach Report, 2013).

66% of violations of a security system of the company can remain months unnoticed, putting at risk corporate information. Among most widespread "holes" in protection – problems with passwords: 61% of users use the same password, and 44% – change the password only once a year (CSID Customer Survey: Password Habits 2012).

It is easy to crack the passwords made by rules of grammar

Researchers from Carnegie-Mellon's university developed the experimental fitting algorithm of the password using grammatical rules and checked its efficiency on more than 1400 passwords of 16 and more characters. About 18% from these passwords were made of several words integrated by rules of grammar in a short phrase. Though it is easier to remember such passwords, existence of structure significantly limits number of possible combinations and facilitates as well a problem of cracking, researchers specify.

Password length in itself cannot characterize its reliability. The complexity of cracking of two passwords of identical length can differ much depending on their grammatical structure. For example, it is less pronouns in language, than verbs, adjectives and nouns and therefore the password Shehave3cats beginning with She pronoun is much weaker, than Andyhave3cats beginning with the name Andy.

Researchers considered well-known opportunities of replacement of letters with similar digits, changes of the register and adding at the end of punctuation marks. They too not so considerably increase reliability of passwords, according to some, authors consider.

For the majority of the websites it is better to use simple passwords

All of us heard more than once that for any account it is necessary to define unique and difficult passwords, using the special utility for their storage. However researchers from Microsoft Research came to a conclusion that such approach can be incorrect (data of summer of 2014). At first sight, the commonly accepted recommendations look quite logically.

When using for each website and service of the long and difficult passwords consisting of accidental combinations of characters, the probability of their cracking sharply decreases, and in case of a password compromise under the threat there is only one account. Remember a random series from 10-20 characters quite difficult, and the utilities of password management allowing to store them all in one place come to the rescue here. Everything is simple. In practice most of people ignore difficult passwords, not to mention use of the unique password for each website and service. At large-scale leaks we see that very few people follow recommendations about the choice of the password. Relation to utilities of password management too very skeptical. Having forgotten the password from the utility, you lose all the passwords at once, and when cracking the appropriate program or service the malefactor gets access to all your information in full. Therefore researchers suggest to use simple passwords on the websites where they are stored given, not being of special value, and to leave difficult passwords for bank accounts. Solve to you. If contrary to the recommendations of experts in security you continue to use pretty often simple passwords, perhaps, it makes sense to adhere to such approach.

Cracking and cost of computer passwords

Cracking of the password is one of widespread types of the attacks on the information systems using password authentication or "name of the user password" pair. The essence of the attack comes down to taking by the malefactor a user password, having the right to log in.

Attractiveness of the attack for the malefactor consists that at successful obtaining the password he with guarantee acquires all rights of the user whose account was compromised, but also the input under the existing account usually causes less suspicions in system administrators.

Technically the attack can be implemented by two methods: repeated attempts of direct authentication in a system, or the analysis of hashes of the passwords received by a different way, for example interception of traffic.

At the same time the following approaches can be used:

  • Direct search. Search of all possible combinations of admissible characters in password.
  • Selection according to the dictionary. The method is based on the assumption that in the password the existing words of any language or their combination are used.
  • Method of social engineering. It is based on the assumption that the user used personal data, such as his name or surname, date of birth, etc. as the password.

The set of tools, for example, of John the Ripper is developed for carrying out the attack.

You watch Quotations of user data in the market of cybercriminals in more detail

Criteria of firmness of the password

Proceeding from approaches to carrying out the attack it is possible to formulate criteria of firmness of the password to it.

  • The password should not be too short as it simplifies its cracking by complete search. The most widespread minimum length — eight characters. For the same reason it should not consist of some digits.
  • The password should not be a dictionary word or their simple combination, it simplifies its selection according to the dictionary.
  • The password should not consist only of public information on the user.

In quality the recommendation to drawing up the password it is possible to call use of a combination of words to digits and special characters (#, $, *, etc.), use of rare or nonexistent words, observance of the minimum length.


Microsoft conducted in the summer of 2014 a research of security systems and found out that it is the best of all to use short and simple passwords for the websites which are not storing personal information. Long and difficult passwords it is necessary to protect the accounts on web resources containing banking data, names, surnames, passwords, etc.

Reuse of the password is a taboo for security experts after a huge number of cybercracking and leaks of personal data in recent years. The recommendations of specialists seem rather logical.

Hackers, locating the e-mail addresses and passwords, could use these credentials concerning other websites to get illegal access to them. In turn, reuse of the password on the websites with low degree of protection against cybercracking is necessary in order that users could remember the unique codes selected for more serious resources. Specialists of Microsoft nevertheless recommend to users to use simple passwords on the free websites which are not containing important information. Best of all, IT experts say, 'hold' long and unique passwords for the bank websites and other storages of confidential information.

Passwords as linen: change them regularly and do not show on public

  • Create different passwords for different accounts. If you use the same credentials for an input in different accounts, then unauthorized access even in one of them threatens all others.
  • Do not tell anybody the passwords. The password is a confidential word or a phrase by determination therefore well think before transferring him to someone.
  • Regularly change passwords. Even if you use the reliable password, change it regularly. You can notice not at once unauthorized access to the account therefore regularly change passwords, and create the diagram of their change better not to forget about it!
  • Do not use information related to your personality in passwords. It is difficult to remember a set of reliable passwords. To simplify storing of passwords, many users use in them names and dates, significant for themselves. However criminals can use your publicly available information and accounts on social networks for obtaining these data and solving of passwords.
  • Use two-factor authentication. Though creation of reliable passwords — the best first step to security, will prevent to add an additional layer of protection in the form of two-factor authentication never. In this case the password is supplemented with one more condition. Frequent it is the code of security sent on the mobile device of the user and without this code to log in to the account [4]

Digits and the register do not do the password more reliable

The scientist from University of Glasgow with the colleague from research laboratory Symantec found out that digits and uppercase characters do not do the password to more reliable. Results are published in the fall of 2015[5][6] in the collection of ACM CSS 2015.

Researchers used intellectual algorithms which were trained previously based on data, representing 10 million passwords which are available in network in open form. Further they checked efficiency of algorithms for 32 million other passwords. It became clear that digits and uppercase characters do not allow to complicate the password. Such effect can be reached lengthening of the password or use of special characters.

Researchers say that people usually use uppercase characters at the beginning of the password, and digits — at the end. According to authors to make the password more reliable, it is necessary to extend it and to add special characters.

Methods of protection against the attack

Methods of protection can be separated into two categories: ensuring resistance to cracking of the password, and prevention of implementation of the attack. The first objectives can be achieved by verification of the set password on compliance to criteria of complexity. For such check there are automated solutions which are usually working together with utilities for change of the password, for example, of cracklib.

The second purpose includes prevention of capture of a hash of the transferred password and protection against repeated attempts of authentication in a system. To prevent interception, it is possible to use the protected (ciphered) communication channels. To complicate to the malefactor selection by repeated authentication, usually impose restriction for number of attempts in unit of time (an example of means: fail2ban), or address enable only from the entrusted addresses.

Complete solutions for the centralized authentication, such as Red Hat Directory Server or Active Directory already include means for accomplishment of these tasks.

Generation of the password

In Unix-like operating systems it is possible to use the pwgen utility. For example

pwgen 10 1

will generate 1 password 10 characters long.

Transmission methods of the password through network

Simple transfer of the password

The password is transferred in open form. In this case it can be intercepted by means of simple means of tracking of network traffic.

Transfer through encrypted links

The risk of interception of passwords via the Internet can be reduced, in addition to other approaches, using Transport Layer Security TLS which was called SSL earlier, such functions are built in many browsers of the Internet.

Based on hashes

The password is transferred to the server already in the form of a hash (for example, when sending a form on the web page the password will be transformed to a md5-hash through JavaScript), and on the server the received hash is compared to the hash which is stored in a DB. Such method of transfer of the password reduces risk of obtaining the password by means of a sniffer.

Multifactor (two-factor) authentication

Основная статья: Multifactor (two-factor) authentication

Rules of password management of users

Common methods of increase in security of the software of the systems password-protected include:

  • Restriction of the minimum length of the password (some Unix systems limit passwords to 8 characters).
  • The requirement of repeated password entry after a certain period of failure to act.
  • Requirement of periodic change of the password.
  • Purpose of the resistant passwords (generated using a hardware source of random numbers, or using the pseudorandom number generator which output is processed resistant a hash conversions).

For own security the user should consider several factors by drawing up the password:

  • whenever possible its length should be more than 8 characters;
  • as a part of the password there have to be no dictionary elements;
  • not only the lower, but also upper registers should be used;
  • the password should consist of digits, letters and characters;
  • the password should differ from the login (user name);
  • at registration on each new website the password should change

What can be used instead of the password

In 2004 Bill Gates predicted death of password protection, and since then its scope began to weaken gradually. In spite of the fact that passwords are known as one of the oldest tools of security in the world of software and the Internet, all of them bring users more often, without coping with a task of security of the most valuable information. The weak link of password protection consists in bad controllability, people simply were tired of it. Practically each of us has a set of online accounts — bank, medical, for online stores and social networks. On average 40 accounts are the share of the person. Remember different passwords for each of them it is impracticable and therefore people resort to any tricks[7].

Numerous types of reusable passwords can be compromised and contributed to the development of other methods. Some of them become available to the users aiming at safer alternative.

  • One-time passwords
  • Biometrics
  • Technology of a uniform input
  • OpenID

Scanners of an iris of the eye of an eye

The next step in development of software for recognition of an iris of the eye of an eye — the system of recognition of gestures. It will allow users to unblock phones or to enter on bank accounts, being guided by the movement of eyes. One of elements of a template which she will take into account is blinking of an eye. In the future this biometric password can be unrolled on all mobile devices and computers.

Brain waves

Instead of requesting the password on an input, the computer could measure brain waves of the user, being integrated to the wearable device for an electroencephalography. Sensors will scan brain activity which then can be used for start of a certain program action, for example, for an unblocking of the mobile device.

The fact that password protection became already outdated — a subject of active discussions within the last two decades, however, at it always was not so many alternatives. However today, at the beginning of contactless authentication, remains less the reasons to return to protection with static passwords which are easy for picking up. For this purpose there are more opportunities, than ever before — from two-factor authentication to biometric and hardware keys which allow to provide protection of your company and the valuable data.

Templates of warm rhythms

Researchers invented a method to apply the received samples of warm rhythms for the purpose of security. Tracking is performed using wearable devices which fix warm rhythms of people and turn an electrocardiogram into unique keys which can unblock phones or open applications.

Hardware keys

Transition to identification procedure to offline mode using a physical key can seem outdated, but important another — it provides reliable protection against hackers. The hardware keys of security having USB connectors, NFC or Bluetooth can be used for safe and reliable switching between smartphones, notebooks and computers. Operation of FIDO security tokens (Fast ID Online) is arranged as follows: users connect them to the computer for authentication of the account, and then they can be disconnected. This convenient solution for employees who work with devices not only at office, but also at home.

SMS

In a consumer sector as a verification form on online services even more often apply the SMS to an input. For this purpose users provide the phone number which is usually previously tied to an account. Directly at an input they send the phone number and receive the Sms which they then should enter. The password is not required.

Technology of identification for fingerprints

The Touch ID technology exists several years, but it is still dependent on password entry — after the expiration of waiting time access can be redefined on a PIN code. It is possible that in the future in addition to mobile phones there will be also other devices which can be unblocked by means of contacts — notebooks, computers, electronic cars and even entrance doors. Encouraging employees to broader use of technology of identification for fingerprints as parts of multifactor authentication, for example, together with a PIN code, the enterprise thereby will ensure бóльшую safety.

Digital fingerprint

As one of forms of the password the analysis of characteristics of devices can be used, but provided that behavior of network, devices and its location regularly repeats. These characteristics create "digital fingerprint", and in case of detection of unusual activity (for example, login from the place where the device logically should not be, or an input from someone else's computer is fixed) will be denied access or for this account security check will join — by e-mail warning of an input will be sent to the user to its account or the push-notification.

Recognition of the signature

Every time when you pay on the bank card or are forced to sign the digital screen with an electronic pencil, for confirmation of your personality the systems of recognition of the signature are used. In this case a system compares your signature to that specimen signature which is stored in a banking system.

However it not simple comparison of two pictures. The special program of security not only places two pictures next to each other to check whether they match, or whether, at least, they are similar. Actually, the system of recognition of the signature compares a method of creation of these two images, performing search of an identical behavioural template.

Advantages and shortcomings

Though can seem that to forge the signature rather simply, nevertheless, impracticablly to repeat the speed of writing and pressure put at the same time. So, the systems of recognition of the signature using the most advanced technologies become ideal replacement for passwords in transactions, for example, with corporate bank accounts.

However, as well as all other methods of identification, and here have minuses. One of the main shortcomings is that for a variety of causes each of us can be signed differently, and it is a serious problem. That a system was practical, it is important to be able to distinguish, for example, slowly made signature as a result of some injury or as a result of attempt to forge it.

Besides, at least now it is not absolutely effective method of access to services. Really, when you sign something at payment for something, these data are not used in real time. Instead, data go to your bank where will be checked later.

However existence of shortcomings of the systems of recognition of signatures all the same does not close a door before this technology. It is quite probable that future corporate banking activities will be just permitted by the signature on the tablet or the smartphone.

Passwords on the basis of smilies

According to summer of 2015 the British company Intelligent Environments claims that it invented a method to use a row from smilies, pictures of expression of emotions which will replace a digital PIN code on the smartphone that our brain could remember easier this sequence people remember a conscious number of pictures easier. Use of a "emotional" PIN code is based on evolutionary capability of people to remember images. Besides, the increased complexity of such method complicates selection of the PIN code.

Traditional four-digit PIN are four digits from 0 to 9 with repetitions — only 104 or 10,000 repetitions. The number of "emotional pictures" is equal 444 or 3,748,096 that, you see, much more.

It should be noted that this technology is, most likely, future, and rather far.

History of passwords

Passwords were used since the most ancient times. Poliby (201 BC) describes application of passwords in Ancient Rome as follows:

How they provide safe passing at night looks as follows: that is located in the lower part of the street, the commander selects from ten maniples of each family of infantry and a cavalry who is exempted from execution of guard duty, and he goes every night to a tribune, and receives from it the password — the wooden plate with a word. It returns to the part, and then passes with the password and the plate to the following commander who in turn transfers the plate to the following.

Passwords were used in computers from their first days. CTSS from MIT was one of the first open systems, having appeared in 1961. She used the LOGIN command for a user password request.

Robert Morris offered the idea of storage of passwords in a hash form for operating system UNIX. Its algorithm known as crypt, uses 12-bit salt and contacts for change of a form an algorithm of DES, by 25 times reducing risk of search according to the dictionary.

You See Also

Notes

  1. of NordPass Here are the most popular passwords of 2019
  2. [1]
  3. What does a combination of "ji32k7au4a83" by the awful password?
  4. nevozmozhnoteamviewer, the software provider for remote control devices and interactive joint work, celebrates the World day of the password (on May 5, 2016) and shares simple and effective councils for protection of credentials. In addition to creation of reliable passwords, TeamViewer strongly recommends users to apply two-factor authentication as the additional level of protection against unauthorized access.
  5. of Monte Carlo Strength Evaluation: Fast and Reliable Password Checking
  6. of Digit and the register do not do the password more reliable
  7. Identification and access control: what methods will appear in the future?