New proof that I can guess your password

Can I really guess your password?

According to Keeper Security I have a high probability of guessing the password of 50% of the population within my first 25 attempts. That seems like a pretty bold statement even for someone as incredibly skilled and handsome as myself.

Here is how they came across this fact. In the vein of turning something bad into something good Keeper Security analyzed the passwords of 10 million accounts that have been breached and compiled the list of top 25 passwords. The top 25 passwords appeared in a staggering 50% of the 10 million passwords.

The top password in the list which was simply “123456” accounted for 1,700,000 of the passwords analyzed. That data suggests that a full 17% of the passwords in place are simply 123456. That may be worthy of testing on your mother in-laws email account to see what she really thinks about you.

I have to commend the site for thinking of a good way to use ill-gotten data. This truly is a good cause. However, I have to strongly criticize major providers for allowing such lax security standards and allowing these simple passwords to meet their complexity rules.

So why is this important at all. If you want an easy short password what is the harm and really how realistic is it that you will be hacked? One of the most common forms of attacking is called brute force attack. In this type of hack the attacker needs two pieces of information.

Your username
Your password

Your username is typically the easy part of this equation. Most of the time it is simply the beginning part of your email address. Other times it is some combination of your first initial, first name and last name.

In a brute force attack they just take that username and try various combinations of characters until they can get into your system.

So if I have your email address I have a 50% chance of getting into your account by just trying one of the top 25 passwords.

Ok again why should you care about this? Your email may mostly consist of notifications from Facebook or spam. Try to think of your home email account as a gateway. It may not seem like a big deal but if someone wanted to reset your password to your bank account or credit card accounts where is that password reset going to go. All I need to do is look for an old email from your bank, find the bank account number and ask for a password reset. Once I have that I can reset your password and have full access into your account.

What a good password looks like:
Minimum of eight characters
Combination of letters, numbers and non alpha numeric characters
Easy enough that you can remember it

Wait what’s with that last one?  How can it be difficult and easy to remember? Why should it be easy to remember? This is a simple one based on our experience. When a user’s password (or wifi code) is too difficult the first thing they do is put it on a Post-It note and put it under their keyboard or worse, on their monitor. That kind of defeats the purpose of having a password.

What can we do in your office to prevent these issues:
We can force password security at the server level
We can force periodic password changes at the server level
We can force the screensaver to appear after 20 minutes of inactivity

Now for the fun part. Here is the list of top 25 passwords in order.

Kenny Rounds

Braver Technology Solutions LLC