Back to Basics – The Password Keyboard Walk (part 3)
A password you can remember is probably going to have some type of pattern to it – as humans we can remember patterns better than sequences. These patterns however are the basis for undermining any organisational policy that is designed to result in strong passwords.
Your password and a keyboard walk!
What do I mean by a keyboard walk? This is a pattern of sequential keys on the keyboard, the most obvious for a UK keyboard is “qwerty”. But you are thinking that no one would use “qwerty” in their password.
In recent research looking at poor passwords it was found that out of nearly 800 million compromised passwords examined, more than 1 million of them included the keyboard walk through “qwerty” (Specops. 2023). So yes, the use of “qwerty” in passwords is very common. Here is my first point – do not use that sequence in any password you use that you expect to be secure.
The hackers are expecting you to be clever…
Then there is this password, i8U&y6t%.
It looks like a good password and would pass most password requirements for any system. But on closer examination it is again just another keyboard walk of clustered keys.
Hybrid Brute Force Dictionary Attack and the Keyboard Walk
So why is this important?
Password hacking is no more than educated guessing and trying multiple combinations of passwords against someone’s login. To help increase their chances of success the hackers do not start at a, then b, c,d…aa, ab,ac…aaa, aab, aac etc.. The threat actors create (and share) dictionaries that contain all the compromised passwords they can collect or buy from the Dark Web and then add to it with passwords that include football teams (both soccer and NFL), names, cities, and regularly used patterns. If you live in France they will switch out their “qwerty” patterns and use “azerty”. Hackers understand the password keyboard walk vulnerability.
If you avoid these patterns created by a keyboard walk your passwords will be more secure.
Next
I think the next article maybe the last part of this mini-series on password discipline.
Clive Catton MSc (Cyber Security) – by-line and other articles
References
Specops. (2023). Specops Software 2023 weak password report. Specops Software. https://specopssoft.com/our-resources/most-common-passwords/
Further Reading
Passwords – Back to Basics – CyberAwake
Back to Basics – The Password Part 2 – CyberAwake
Featured Photo by Pixabay
In Text Photo by Ilya Klimenko
