According to a not-at-all recent report by Keeper (see below), there’s a 50/50 chance that any user account can be accessed with one of the 25 most common passwords, this can be leveraged within Digital Forensics.
And there’s a 17% chance that the password is 123456.
This strikes me as absolute rubbish, but it got me thinking, if I want to get unfettered access to some user accounts, and I don’t really care which accounts, rather than using ‘brute force’ by trying many passwords for one user account, it makes much more sense to flip that and try one password on many user accounts.
If Keeper are right (and not misinterpreting the data which I’m totally not accusing them of doing), then I could try the password “123456” on a random selection of accounts and for 1 in 5 attempts I’d be in like Flynn.
So I tried exactly this on Reddit, copy/pasting usernames into the sign in form, leaving the password as 123456 and clicking login. Over and over again.
Of the 30 user names I tried, this password worked for 0 of them. A strike rate of roughly 0%.
So, manually copy/pasting user names into the sign in form is a big fat waste of time.
I should give up.
Or scale up.
This function will open the Reddit sign in page (using Puppeteer) and try signing in with a variety of passwords.
I could just call this function with a bunch of usernames and look at the output to see the user name/password combos it tried and which it got right…
…but that involves more faffing about than I’m willing to endure.
So, I wrote a Chrome extension (no you can’t have it) that picks up all the user names on a page and sends them to my server which runs the script above.
When the script finds a password for a user, it sends it back to the browser and the extension adds a little tag next to the user’s name like so:
(I also email myself any successes, because sometimes I’ll need to queue up the guessing for later — when I hit a rate limit, Reddit is super helpful and tells me exactly how many seconds I need to wait until I can start guessing again.)
I must admit, the first time I saw a user’s password hovering just to the right of their name, it put a little evil smile just below my nose. I immediately logged in as the user and had a bit of a poke around in their profile page. I saw the reset password button, the checkbox to log them out everywhere else…
…but as fast as it had come, my excitement faded.
Like sharing a vegan platter for two, I had no beef with this person. They were an ordinary, harmless internet citizen, they didn’t deserve to be a target.
So I closed the tab, shut down my server and forgot about the whole endeavour.
No, wait, I’m a bad guy — I almost forgot!
So, I attempted to go one level deeper. I took note of the email that they had listed in their account page and tried logging into it with the same password.
Dammit, they’d used a different password for their email account. Like a flat-earther who accepts that climate change is happening, they were dumb, but not that dumb.
Luckily there is no shortage of people ignoring all good password advice; in almost every comment thread there were one or two accounts proudly displaying their passwords right next to their user names. All courtesy of some code that took, like, four hours to write.
I soon extended beyond Reddit to other sites (where usernames are visible) with varying levels of success. (For some reason, forums about trains are virtually impenetrable, while people on bird-watching forums are totes clueless. Maybe they’re too busy thinking about blue footed boobies and crested throat warblers to be crafting hard-to-guess passwords.)
If it’s not obvious, I should point out that I’m not interested in the user accounts of ornithologists per se. I’m interested in finding an entry point into the online world of individuals who are bad with passwords.
It’s like the classic Nigerian email scams. There aren’t many people left who will fall for it, but when you find someone who will, they’re ripe for the picking. And finding them is cheap — it’s a good recipe.
Of all the accounts with simple passwords, a small but healthy share listed an email address in the profile page that could be accessed with the same password. And from there, it’s not hard to reset other passwords and eventually get into the target’s bank account, raising transfer limits (answering ‘proof of identity’ questions is easy when you’ve got every email a person’s ever sent) and shuffling their money off to somewhere it will be more useful to me.
You know, it’s true what they say: if you do what you love you’ll never work a day in your life.
My little operation has outgrown the browser extension now and scaled up to trawl sites for masses of user names to test against those most common of passwords. My single server has grown to a reverso-brute-forcing farm with constantly rotating IP addresses churning away day and night. (Yes, even in the dark!)
I’ve automated finding an email address on the account page of various sites and trying to log into that, so I only need to get involved when I’ve got the keys to the kingdom of someone that apparently thought no harm would come from having a password like 123456, on multiple accounts.
I almost feel bad for them.
Back to reality
I think there will always be end users who create the simplest password they’re allowed to. So the onus is on us (developers, security folk, etc.) to ensure that insecure passwords simply aren’t possible.
I guess this whole (fictional) story is a preamble to a plea to the few people who are still doing security wrong.
Every site (yes you, Reddit) should be enforcing password strength. And if you ask me, every site that has allowed crap passwords in the past should be working on forcing these to be updated.
And please stop spreading the misinformation that a password must contain uppercase/lowercase letters, numbers and punctuation to be secure.
If you’re telling a user that their 26-character passphrase isn’t secure enough (ahem, Microsoft), then you’re making it harder for that user to create an easy-to-remember/hard-to-crack password.
And if you allow truly terrible passwords like
[email protected] because your strength checking logic is blunt, you’re doing your users a double-disservice (ahem, Microsoft).
I’d recommend testing the strength of a password with something clever, like zxcvbn — a “password strength estimator inspired by password crackers” by Dropbox. I first heard of zxcvbn 4 minutes ago and have been a big fan ever since. (Have a play here, it’s fascinating.)
If you really want to help your less savvy users pick a secure password, inform them of the correct horse battery stapler concept on your sign up page (
5f7ty^GF$H`@2 is difficult to crack, but
this is difficult to crack is thousands of times harder).
One of these days, we’re going to see a user in the Litigious States of America successfully sue an organisation for allowing them to have an easily-guessed password. The EU will make minimum password-strength requirements mandatory, and blog posts like this will become obsolete.
What the Most Common Passwords of 2016 List Reveals [Research Study]
By Darren Guccione, Co-founder and CEO of Keeper Security
Looking at the list of 2016’s most common passwords, we couldn’t stop shaking our heads. Nearly 17 percent of people are safeguarding their accounts with “123456.” What really perplexed us is that so many website operators are not enforcing password security best practices.
Using external, public data sources we scoured 10 million passwords from data breaches that happened in 2016. A few things jumped out:
- The list of most-frequently used passwords has changed little over the past few years.. That means that user education has limits. While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them.
- Four of the top 10 passwords on the list – and seven of the top 15 – are six characters or shorter. This is stunning in light of the fact that, as we’ve reported, today’s brute-force cracking software and hardware can unscramble those passwords in seconds. Website operators that permit such flimsy protection are either reckless or lazy.
- The presence of passwords like “1q2w3e4r” and “123qwe” indicates that some users attempt to use unpredictable patterns to secure passwords, but their efforts are weak at best. Dictionary-based password crackers know to look for sequential key variations. At best, it sets them back only a few seconds.
- Email providers don’t appear to be working all that hard to prevent the use of their services for spam. Security expert Graham Cluley believes that the presence of seemingly random passwords such as “18atcskd2w” and “3rjs1la7qe” on the list indicates that bots use these codes over and over when they set up dummy accounts on public email services for spam and phishing attacks. Email providers could do everyone a favor by flagging this kind of repetition and reporting the guilty parties.
We can criticize all we want about the chronic failure of users to employ strong passwords. After all, it’s in the user’s best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn’t hard to do, but the list makes it clear that many still don’t bother.
Here are the results and additional analysis of the study:
Methodology and other notes:
- This study included 10M passwords across a variety of data breaches that occurred in 2016 (Breaches that were announced in 2016, but actually occurred prior to 2016 were not considered for this study)
- Outliers (passwords that only appeared in 1 breach) were not considered for this study
- The password “
mynoob” only occurred in two breaches, which were gaming-related sites
- The speed of a successful brute force attack depends on
- Keeper is zero-knowledge and has no access to user data (therefore Keeper data was not used in this study)