Architecting Security Password Patterns

4/10/2014

Password Patterns :Architecting Security

Architecting Security Entries RSS | Comments RSS To search, type and hit enter

Home Publications

Password Patterns Posted September 11, 2010 at 00:01 In December 2009, a critical data breach in the Internet has been experienced. Around 32 million user passwords of rockyou.com web portal were stolen by a hacker which had used SQL injection for his attack. He got all passwords and made them anonymously (i.e. without usernames) available in the Internet to download. Security experts started analyzing the passwords and Imperva released a study regarding the security level of the passwords. They have come up with the following results: Key findings About 30% of users chose passwords whose length is equal or below six characters. Almost 60% of users chose their passwords from a limited set of alpha-numeric characters. Nearly 50% of users used names, slang words, dictionary words or trivial passwords Only 0.2% of Rockyou.com users have a password that could be considered as strong password based on Nasa recommendations which requires that the password length should be eight characters or longer and the password should contain a mixture of special characters, numbers and both lower and upper case letters.

The most commonly used 20 passwords 1. 123456 11. Nicole 2. 12345 12. Daniel 3. 123456789 13. babygirl 4. Password 14. monkey 5. iloveyou 15. Jessica 6. princess 16. Lovely 7. rockyou 17. michael 8. 1234567 18. Ashley 9. 12345678 19. 654321 10. abc123 20. Qwerty

Password Length Distribution

https://www.architectingsecurity.com/2010/09/11/password-patterns/

1/11

4/10/2014

Password Patterns :Architecting Security

As the figure shows, ca. 60% of the passwords are quite insecure and contain either only lower case/only upper case characters or numeric values. The remaining 40% of the passwords are more secure and contain mixed letters, numeric and/or even special characters. As security experts always repeat, a secure password must contain lower and upper case letters, numbers and special characters. This makes passwords more secure against brute-forcing and dictionary attacks. At this point, the following question is raised. Do two passwords, which have the same length and both contain the same number of lower/upper case letters, numbers and special characters, provide the same security level? The answer of the question is NO. Consider the following two passwords: “z6iFk#rdlr” and “Password1.“. Both passwords contain 7 lower case characters, 1 upper case character, 1 number and 1 special character. But, the first one is more secure than the second one, since it seems it was randomly generated. On the other hand, the second password contains some kind of pattern which can jeopardize its security. If passwords share the same pattern, this then can be misused to execute automated attacks similar to dictionary attacks. This password pattern consists of the following aspects: The first letter is a capital letter. The password is based on a dictionary word. A number and a special character are appended to the dictionary word respectively. People with security in mind would like to follow the recommendations for choosing secure passwords. But they are also not capable of remembering randomly generated complicated passwords. My feeling was always that they have found a middle way. They take into consideration to choose a mixed password but easily remember it at the same time. This idea has led them to apply “password patterns”. In order to check my ideas about this issue, I made further analysis on the 32.6 million passwords. The aim of my analysis is to define some security patterns and check their usage ratio within the password list. The Analysis For the analysis, I imported 32.6 million passwords into a database table (exact number is 32,603,348). I used [:alpha:], [:digit:] and [:punct:] definitions to group different character sets within passwords. These definitions represent the following character sets: [:alpha] Any alpha character A to Z or a to z [:digit:] Only the digits 0 to 9 [:punct:]

Punctuation symbols (i.e. . , ” ‘ ? ! ; : # $ % & ( ) * + – / < > = @ [ ] ^ _ { } | ~)

https://www.architectingsecurity.com/2010/09/11/password-patterns/

2/11

4/10/2014

Password Patterns :Architecting Security

Password Patterns The first pattern I analyzed is “concatenation”of different character sets. According to this pattern, people append one character set with another set or sets (as examples, “password.” or “password1.”). The first one is an example of alpha+punct dual concatenation. The second one is an example of alpha+digit+punct triple concatenation password pattern. The second pattern I analyzed is “replacement” of certain alpha letters. According to this pattern, people replace certain alpha letters in passwords with a digit or punctuation character. As an example, “passw0rd” can be given (the letter o is replaced with the number zero). 1. Concatenation Password Pattern People concatenate different character sets to each other. For example, they append a single number (mostly 1) or “.” symbol to the dictionary words. In the following sections the frequencies of all possible concatenations between different character sets are given. 1.1. No Concatenation For the sake of completeness, I analyzed “no concatenation” case as well. That means I searched for the passwords contaning only alpha, digit or punctuation characters. The following table shows the occurrence quantity in the password list for each character set. According to the results, 44% of passwords contain only alpha characters (i.e. lower or/and upper case letters). alpha 14,366,751 (44%) digit 5,192,998 (16%) punct 4,860 (0.015%) 1.2. Dual Concatenation In this pattern, I searched for the passwords that belong to any “alpha+digit”, “alpha+punct” or “digit+punct” concatenations (their reverse combinations as well). For the alpha characters, it is not considered if it is a dictionary word or not. But it can be said that the majority belongs to dictionary words. The following table shows the frequencies of the possible concatenations. Alpha+Digit

Alpha+Punct

Digit+Alpha

9,834,095 (30%)

240,993 (0.74%)

mekster11, khas8950, emilio1, holiday2, caitlin1, cats13, toohott69, cheer99, may2204, betteroff6, love1129

04maxima, 33orange, olives!, skittles?, cheaphat!, skating., 12344321a, 1234567a, junkbox!, 118jefferson, easymac*, itsmiller!, balboa!, 98101ef, 36987l, 1sweetness, bobbiedee!, 1simpleplan, hotbitch., 1loveyou, 5pointstar, password!, sowhat?, iloveyou!, 98765432q, redbag., yankees!, 12345a, 1capital,

895,916 (2.75%)

https://www.architectingsecurity.com/2010/09/11/password-patterns/

Digit+Punct Punct+Alpha 12,646 (0.04%)

16,090 (0.05%)

78963., 13659*, 83593113$$, 123456], 369*, 1977.., 022590!!, 8825##, 92102310., 3636369., 1457., 963., 24824**

*forever, !cheeky, $tevenrules, *phsyco, angel, []dauoa, !qwert, !loveu , $prite, .com, *Twist, $upersonic, *jordan, $tennis ,

Punct+Digit 3,395 (0.01%) ,123456, /8520, *41681, .31331, $$$4369, +2511161897, .09164232572, -11185, !034780, ~@~@~@123, *13961, ****1, ~123456, {0106860511

3/11

4/10/2014

Password Patterns :Architecting Security

princess!, iluvyou! 123xyz, 16inches, 50cent

*jessica

1.3. Triple Concatenation In this pattern, I searched for the passwords that belong to any of the following triple combinations: “alpha+digit+punct”, “alpha+punct+digit”, “digit+alpha+punct”, “digit+punct+alpha”, “punct+alpha+digit” or “punct+digit+punct”. For the alpha characters, it is not considered if it is a dictionary word or not. But it can be said that the majority belongs to dictionary words. Alpha + Punct + Digit

Alpha + Digit + Punct

Digit + Alpha Digit + Punct Punct + Alpha + Punct + Digit + Punct + Alpha Digit + Alpha

82,151 (0.25%)

185,610 (0.57%)

13,298 (0.04%)

18,218 (0.06%)

teenager1@, abc123., karl143., windowsxp1!, kelvin258/, jessie18;, pretti7*, jordans07., JUNE24,, briana20., softball4!, blue42!, space1*, class08!, sonny21., mkjoy8!, Mas28@*, abc123!, roach89!, any83*

kaitlyn.1, poopp one (1)

57,456

1loveyou, P1ayer, mel1ssa, stup1d, denn1s, w1lliams, f1lipana, pr1ncess, 1srael**

s -> five (5)

9,867 du5tin,ju5tin, east5ide,augu5t, it5easy, eclip5e

https://www.architectingsecurity.com/2010/09/11/password-patterns/

4/11

4/10/2014

Password Patterns :Architecting Security

b/g -> six (6)

7,059 straw6erry,soccer6irl, short6one, hun6ry

g -> nine (9)

6,599 an9els, en9ine

Alpha letter replaced with a punctuation character s -> $

n.a.

$prite, be$tfriend, ju$tin, two$hort, $pecial,$ummer, $upersonic, $tevenrules, $outh

i/l -> |

n.a.

love|y, my|ove, actual|y, M|ChElLe

3. Additional Patterns There are also some additional interesting password patterns within the list that can be taken into consideration: Dates

4,167 4/30/04, 12/02/03, 06/27/00, 19/03/1988

Keyboard sequences

n.a.

Keyboard reverse n.a. sequences Starting with #1

123456 (in top 10), 12345678 (in top 10), qwerty (in top 20), qwertz (97), asdf(157), asdfg(1,190), asdfgh(2,908) 654321 (in top 20), trewq (14), ytrewq (160),

8,617 #1kingsfan

Ending with 1.

3,047 dark1.

The Symbols People prefer using certain symbols more commonly compared with the other symbols. The most commonly used punctuation character is point (.) with 0.7%. The second one is underscore (_) with 0.58% and the third one is exclamation mark (!) with 0.55%. The frequency of each punctuation symbol in the password list is given in the following table. .

226,980 (0.7%)

,

27,722 3,172 16,097 24,744 “ ‘ ? (0.09%) (0.01%) (0.05%) (0.08%)

!

179,666 (0.55%)

;

14,378 7,239 60,016 31,501 : # $ (0.044%) (0.022%) (0.18%) (0.1%)

%

11,282 28,553 16,557 18,349 95,400 & ( ) * (0.03%) (0.088%) (0.05%) (0.056%) (0.3%)

+

24,000 126,908 37,836 11,856 2,755 / < > (0.073%) (0.39%) (0.12%) (0.036%) (0.008%)

=

18,741 10,4336 7,722 10,731 @ [ ] (0.057%) (0.32%) (0.02%) (0.033%)

^

5,863 187,603 1,056 933 506 _ { } | (0.018%) (0.58%) (0.003%) (0.003%) (0.002%)

~

5,823 (0.018%)

4,149 (0.013%)

Conclusion In my pattern analysis, the following statistical results have come out: https://www.architectingsecurity.com/2010/09/11/password-patterns/

5/11

4/10/2014

Password Patterns :Architecting Security

The most commonly used special character is . (point). The most commonly used dual concatenation of alpha-digit-punct characters is “alpha+digit” with 30%. The most commonly used triple concatenation of alpha-digit-punct characters is “alpha+punct+digit” with 0.57%. For the replacement pattern, replacing the letter i or l with the number 1 is the most commonly used pattern. Password patterns might be the next generation of dictionary attacks. Revealing common password patterns, hackers can enhance their tools to enforce pattern-based brute-force attacks. Finally, I suggest you the following aspects against password patterns: Do not choose and use any password based on a common pattern! Let a random password generator (e.g. pwgen firefox add-on) create strong passwords for you. If you bad at remembering passwords, create a single strong password (i.e. master password), remember it and use a password manager (e.g. sxipper, keepass) protected with the master password. Then, let the password manager generate strong unique passwords and store them for you. Filed under: Password Security RSS feed for comments on this post TrackBack URI 12 Responses to this post 1. Mikhail Utin on September 13th, 2010 20:30 edit While the article will definitely help in future writing of password cracking tools, it is great for improving password security as well. I think that MS and other advising on password security inside OS insatllation should include some advisingf from this article, Good job hacker! 2. Brian Svidergol on September 13th, 2010 20:35 edit The next step should be to use this information in an attempt to crack passwords (thus validating that you've improved over a standard dictionary or brute force attack). Example: Obtain another set of random user passwords that are publically available and brute force them while recording the length of time to get each password (and the total time to get 50%, 75%, etc.). Then, write up a routine to brute force them while using your password pattern information (placing emphasis on alpha+digit and the preferred punctuation). What kind of gains (if any) are seen? And, what do you lose (I'm thinking you may more quickly get the weak passwords but slow down the ability to get the stronger passwords). Interesting though. 3. Munyaradzi on September 14th, 2010 01:06 edit The reason people choose password patterns is to assist in rembering the passwords. Humans are not good at remembering passwords like *au&*99klhJ . We need patterns for cognition. And the fact that every service requires a password makes it worse because i will have to remember 10+ passwords of that nature. In my humble opinion, passwords should be done away with soon before we start afflicting ourselves with "denial of service" as a result of "password amnesia" or better yet….as a result of https://www.architectingsecurity.com/2010/09/11/password-patterns/

6/11

4/10/2014

Password Patterns :Architecting Security

multitude of "forgot password" page requests! Perhaps the use of certificates or something used accross various vendors will be good….ofcourse this has security implications but a challenge+response should work it out. 4. Tweets that mention Password Patterns :Architecting Security -- Topsy.com on September 14th, 2010 08:36 edit [...] This post was mentioned on Twitter by Gabriel Marti, Dr. Emin İslam Tatlı. Dr. Emin İslam Tatlı said: Password Patterns – http://www.architectingsecurity.com/2010/09/11/password-patterns/ [...] 5. evil jimmy on September 14th, 2010 09:37 edit The author says the password “z6iFk#rdlr” is more secure than “Password1.“. This is only true for certain threats (can my password easily be guessed by others). I think the first is less secure because of another threat (me forgetting my password and not allowin gme to read my mail). Most advisories about secure password focus on complex character sets in the passwords. But increasing length off the password using only lowercase characters helps against both threats: password is hard to guess for others and easy to remember for me. 6. Twitted by caphooke on September 14th, 2010 11:41 edit [...] This post was Twitted by caphooke [...] 7. Password Patterns « Steve on Security on September 14th, 2010 14:43 edit [...] Password Patterns Some interesting information to make more efficient bruteforcing attacks - http://www.architectingsecurity.com/2010/09/11/password-patterns/ [...] 8. Dennis Groves on September 15th, 2010 13:08 edit It is worth noting that no matter how 'strong' your password is; it doesn't mitigate against the threat of SQL injection attack; which is how these passwords were disclosed to begin with. In fact it is my conjecture that attackers get more passwords through application security attacks and failure to encrypt databases than by poor password practices and brute force attacks. degroves 9. doug on September 20th, 2010 21:51 edit @Dennis, Your statement is incorrect if you look at databases that only store the password hash. It is considered bad practices to store a password in plain text. 10. Emin on September 29th, 2010 08:42 edit Another relevant discussion can be followed here as well: http://seclists.org/pen-test/2010/Sep/31 11. Joe Wulf on October 1st, 2010 17:59 edit Just like it is considered a bad practice to use '123456' as a password. Theory and implementation/execution are two entirely different matters. https://www.architectingsecurity.com/2010/09/11/password-patterns/

7/11

4/10/2014

Password Patterns :Architecting Security

12. Twitted by 2gg on October 17th, 2010 02:21 edit [...] This post was Twitted by 2gg [...] Leave a comment Logged in as Emin. Logout » XHTML: You can use these tags:



Post your comment

Follow Me on

Dr. Emin İslam Tatlı lives in Mannheim -Germany works as Security Architect and Researcher @ Daimler TSS board member of OWASP Germany and Turkey Chapters Email: tatli (at) architectingsecurity.com PGP Public Key: 4DFC8D0C The postings on this site are my own and don't necessarily represent my employer's positions, strategies or opinions.

Latest Tweets

https://www.architectingsecurity.com/2010/09/11/password-patterns/

8/11

4/10/2014

Password Patterns :Architecting Security

Tweets Dr. Emin İslam Tatlı @eitatli

Follow 3 Apr

Hacking Medical Devices troopers.de/wp-content/upl… Expand Kelly Santalucia @KellySantalucia

19 Mar

Google Summer of Code Deadline March 21. To learn more or submit a proposal google-melange.com/gsoc/homepage/… @owasp @fcerullo

Tweet to @eitatli

Categories Anonymity (1) Book Review (2) Cryptography (2) Cyber Security (1) Database Security (2) General (1) Password Security (2) Pentest (4) Privacy (4) Risk Management (1) Secure Coding (7) Secure SDLC (7) Security (3) Security Assessment (6)

Tags Appscan assessment attack trees authentication bypass book book review bsimm burp certificates checklist clasp cyber security database design encryption ESAPI facebook google ibm identity java mahremiyet ihlalleri aes Anonymity

owasp owasp-tr password pattern pentest Privacy privacy violations pseudonymity research risk management samm search secure coding secure design secure sdlc security security training sql injection ssl Turkey

Archives Select Month

Books I have read https://www.architectingsecurity.com/2010/09/11/password-patterns/

9/11

4/10/2014

Password Patterns :Architecting Security

https://www.architectingsecurity.com/2010/09/11/password-patterns/

10/11

4/10/2014

Password Patterns :Architecting Security

© 2010-2014 Architecting Security

https://www.architectingsecurity.com/2010/09/11/password-patterns/

11/11