Dashlane Uncovers Troubling Password Patterns

The Virginia Tech project, described as "the first large-scale empirical analysis of password reuse and modification patterns…" resulted in a landmark research paper: "The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services." Dr. Wang granted Dashlane's Analytics Team access to the anonymized version of the 61.5 million passwords from the project so they could conduct further research into password trends.

Dashlane researchers examined the data for patterns, illuminating simple mistakes that continue to be made by people who use passwords in daily life, which is to say—virtually everyone. The Dashlane researchers found patterns across the keyboard, from not-so-randomly chosen letters and numbers to, popular brands and bands, and even passwords created out of apparent frustration.

"It is difficult for humans to memorize unique passwords for the 150+ accounts the average person has," said Dr. Wang. "Inevitably, people reuse or slightly modify them, which is a dangerous practice. This danger has been amplified by the massive data breaches which have given attackers more effective tools for guessing and hacking passwords."

"When striving to create the very best solutions, it is vital to understand the problems faced," said Emmanuel Schalit, CEO at Dashlane. "The data obtained and analyzed by the Virginia Tech researchers is evidence of rampant password reuse, and Dashlane's examination of this research shed new light on typical patterns and habits."

For more information go to: https://blog.dashlane.com/virginia-tech-passwords-study/

Pervasive "Password Walking"

Dashlane researchers discovered a high frequency of passwords containing combinations of letters, numbers, and symbols that are adjacent to one another on the keyboard. This practice, known as "Password Walking," highlights the apathetic attitude most users have towards passwords, preferring convenience over security.

When users "Password Walk" they are creating passwords that are far from secure. Most hackers are keenly aware of the human tendency to rely on convenience and can easily exploit these common passwords. 

Most are familiar with versions of "Password Walking," such as "qwerty" and "123456", but Dashlane's researchers uncovered several other combinations that are frequently used:

• 1q2w3e4r
• 1qaz2wsx
• 1qazxsw2
• zaq12wsx
• !qaz2wsx
• 1qaz@wsx

These passwords are all comprised of keys on the left-hand side of standard keyboards. This means users can simply use the pinky or ring finger on their left hand to type their entire password. However convenient this may be, saving a few seconds is not worth the loss of one's critical financial and/or personal data due to an account hack.

The prevalence of "Password Walking" is troubling and should make anyone using such passwords take another look at their password practices. Genuinely random and unique passwords are essential to password security; punching a bunch of adjacent characters will not cut it.  

Love and Hate: A Tale of Two Passwords

Another recurring theme Dashlane researchers uncovered is a reliance on passwords related to love, as well as aggressive and vulgar language. Passionate language in either direction was more popular than more tepid or moderate expressions. The ten most frequent love/hate-related passwords:

1. iloveyou
2. f*ckyou
3. a**hole
4. f*ckoff
5. iloveme
6. trustno1
7. beautiful
8. ihateyou
9. bullsh*t
10. lovelove

Most Recurrent Brands

Vices like Coca Cola and Skittles seep into all corners of life, even passwords. Some might argue that technology is a modern vice, with social networks and hardware also used frequently as passwords. The ten most frequent brand-related passwords:

1. myspace *experienced a major breach in 2016
2. mustang
3. linkedin *experienced a major breach in 2016
4. ferrari
5. playboy
6. mercedes
7. cocacola
8. snickers
9. corvette
10. skittles

Music and Movies

Unsurprisingly, pop culture references were also prevalent. It would be wise to remember that using passwords that use names or common phrases is not a safe practice.  The ten most frequent pop culture passwords:

1. superman
2. pokemon
3. slipknot
4. starwars
5. metallica
6. nirvana
7. blink182
8. spiderman
9. greenday
10. rockstar

Champions League Passwords

Lastly, as the world prepares for the Champions League Final this weekend, fans of the beautiful game should refrain from showing love for their favorite club in their passwords. Dashlane found a plethora of sports-related terms in the dataset, but the following perennial Champions League football clubs showed up more than any other teams:

1. liverpool
2. chelsea
3. arsenal
4. barcelona
5. manchester

Security Best Practices

Luckily, there are a few easy actions that everyone should take to improve their online security and minimize the likelihood that his or her passwords wind up in a dark web data trove:

• Use a unique password for every online account
• Generate passwords that exceed the minimum of 8 characters
• Create passwords with a mix of case-sensitive letters, numbers, and special symbols
• Avoid using passwords that contain common phrases, slang, places, or names
• Use a password manager to help generate, store, and manage your passwords
• Never use an unsecured Wi-Fi connection

Methodology 

Virginia Tech researchers led by Dr. Wang have collected a number of publicly available password datasets from the Internet in January 2017. The datasets were obtained from various online forums and data archives. The resulting 107 datasets (61.5 million passwords) allow the researchers to analyze how users reuse and modify their passwords across different online services. The analysis result shows that users are likely to simply modify their existing passwords to create new passwords, and the modification patterns are highly predicable. The goal of this research is to provide a deeper understanding of how weak passwords are generated, and use the insights to drive the design of better password management tools. More details can be found at https://people.cs.vt.edu/gangwang/pass.pdf

Dashlane parsed the password dataset to find the most common case-insensitive substrings comprised of 7 or more characters.  They ranked the top 250 password substrings for each substring length before manually examining this smaller dataset to find the most prevalent patterns and themes. The "Password Walk" section of the analysis was automated with inspiration from https://github.com/Rich5/Keyboard-Walk-Generators

About Dr. Wang

Gang Wang is an Assistant Professor of Computer Science at Virginia Tech. He obtained his Ph.D. from UC Santa Barbara in 2016 and his BE from Tsinghua University in 2010. His research interests include Security and Privacy, Cybercrime Measurements, and Human Factors in Security. He is a recipient of the National Science Foundation Young Investigator Award (NSF CAREER 2018), Google Faculty Research Award (2017) and SIGMETRICS Best Practical Paper Award (2013). His work has been covered by media outlets such as The New York Times, Boston Globe, CNN, MIT Technology Review, ACM TechNews, The Sun, and New Scientist.

About Dashlane

Dashlane, one of the world's most trusted digital security companies, takes the pain out of passwords with its password manager and secure digital wallet app. Dashlane allows users to securely manage passwords, credit cards, IDs, and other important information via advanced encryption and local storage.

With so many devices, the line between home and work no longer exists. Thankfully, Dashlane works everywhere, for everyone. The company has helped 9.5 million consumers manage and secure their digital identity and enabled over $13 billion in e-commerce transactions. Dashlane Business is trusted by 7,000+ companies to create, enforce, and track effective access management, and features the only patented security architecture in the industry.

The Dashlane app is available on PC, Mac, Android, and iOS and has won critical acclaim by top publications including The Wall Street Journal, The New York Times, and USA Today. Dashlane is free to use on your favorite device for life and costs $39.99/year to sync between an unlimited number of devices.

Dashlane was founded by Bernard Liautaud and co-founders Alexis Fogel, Guillaume Maron, and Jean Guillou. The company has offices in New York City and Paris and has received $52.5 million in funding from TransUnion, Rho Ventures, FirstMark Capital, and Bessemer Venture Partners. Learn more at Dashlane.com.

SOURCE Dashlane

Related Links

http://www.dashlane.com