We all ought to know by now that passwords that are easy to guess will get guessed.
We recently reminded ourselves of that by guessing, by hand, 17 of the top 20 passwords in the Have I Been Pwned (HIBP) Pwned Passwords database in under two minutes.
We tried the 10 all-digit sequences 1
, 12
, 123
and so on up to 1234567890
, and eight of them were in the top 20.
Then we tried other obvious digit combos such as 000000
, 111111
and 123123
(we started with six digits because that’s Apple’s current minimum length, and because we noted that 123456
came out well ahead of 12345
and 1234
).
The others were equally easy: qwerty
, password
, abc123
, password1
, iloveyou
and qwertyuiop
, the last being a useful reminder that length alone counts for very little.
Rank | Password | SHA-1 Hash | Appearances |
---|---|---|---|
1: | 123456 | 7C4A8D09CA3762AF61E59520943DC26494F8941B | 24,230,577 |
2: | 123456789 | F7C3BC1D808E04732ADF679965CCC34CA7AE3441 | 8,012,567 |
3: | qwerty | B1B3773A05C0ED0176787A4F1574FF0075F7521E | 3,993,346 |
4: | password | 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8 | 3,861,493 |
5: | 111111 | 3D4F2BF07DC1BE38B20CD6E46949A1071F9D0E3D | 3,184,337 |
6: | 12345678 | 7C222FB2927D828AF22F592134E8932480637C0D | 3,026,692 |
7: | abc123 | 6367C48DD193D56EA7B0BAAD25B19455E529F5EE | 2,897,638 |
8: | 1234567 | 20EABE5D64B0E216796E834F52D61FD0B70332FC | 2,562,301 |
9: | 12345 | 8CB2237D0679CA88DB6464EAC60DA96345513964 | 2,493,390 |
10: | password1 | E38AD214943DAAD1D64C102FAEC29DE4AFE9DA3D | 2,427,158 |
11: | 1234567890 | 01B307ACBA4F54F55AAFC33BB06BBBF6CA803E9A | 2,293,209 |
12: | 123123 | 601F1889667EFAEBB33B8C12572835DA3F027F78 | 2,279,322 |
13: | 000000 | C984AED014AEC7623A54F0591DA07A85FD4B762D | 1,992,207 |
14: | iloveyou | EE8D8728F435FD550F83852AABAB5234CE1DA528 | 1,655,692 |
15: | 1234 | 7110EDA4D09E062AA5E4A390B0A572AC0D2C0220 | 1,371,079 |
16: | – – – – – | B80A9AED8AF17118E51D4D0C2D7872AE26E2109E | 1,205,102 |
17: | qwertyuiop | B0399D2029F64D445BD131FFAA399A42D2F8E7DC | 1,117,379ll |
18: | 123 | 40BD001563085FC35165329EA1FF5C5ECBDBBEEF | 1,078,184 |
The problem is that some of us still seem to think that once we have memorised a truly long-and-strong password, we’ve basically solved the password problem.
Simply put, there’s still a school of thought that goes like this:
Until they do figure it out, of course.
As we explained earlier this week, cyber crooks often obtain passwords without needing to guess them or crack them algorithmically, for example:
Password re-use is why cybercriminals use a trick called credential stuffing to try to turn a hack that worked on one account into a hack that will work on another.
After all, if they know that one of your accounts was protected by yjCMth15SU,atTWT?
, it costs almost nothing in time or effort to see if any of your other accounts use the same password, or one that’s obviously related to it, giving the crooks a two-for-the-price-of-one attack.
(By “obviously related” we mean that if the crooks acquire a password list that shows your Facebook password was yjCMth15SU-FB
, they’ll probably try yjCMth15SU-TW
for Twitter and yjCMth15SU-GM
for Gmail, because that sort of pattern is rather obvious.)
And, according to the US Department of Justice (DOJ), that’s how an alleged cybercriminal called Charles Onus, who was arrested earlier this year in San Francisco, is said to have made off with a tidy $800,000 in just a few months.
The suspect, claims the DOJ, simply tried the already-known passwords of thousands of users against their accounts on an online payroll service in New York.
We’re assuming it was possible to guess which potential victims were users of the payroll service simply by looking at their email addresses.
If the address matched (or perhaps the person’s social media profile gave away) the name of an employer that used the service…
…then it was a good bet that they’d have a payroll account with the same email address, and therefore also a worthwhile criminal experiment to see if they had the same password.
Onus, says the allegation, was able to login unlawfully to at least 5500 different accounts using this simple system – so simple that it doesn’t even really count as “hacking”.
He was then apparently able to change the bank account details of some users so that their next wage payment went into a debit card account that he himself controlled, and to skim off a whopping $800,000 between July 2017 and the start of 2018 or thereabouts.
If you need any with your IT security or suspect your system is compromised, dont hesitate to contact us at JohnCruzIT.