Virginia Tech and Dashlane Analysis Find Risky, Lazy Passwords the Norm

Dashlane analyzed over 61 million passwords and uncovered some troubling password patterns. The analysis was conducted with research provided by Dr. Gang Wang, an Assistant Professor in the Department of Computer Science at Virginia Tech.

The Virginia Tech project, described as “the first large-scale empirical analysis of password reuse and modification patterns…” resulted in a landmark research paper: “The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services.” Dr. Wang granted Dashlane’s Analytics Team access to the anonymized version of the 61.5 million passwords from the project so they could conduct further research into password trends.

Dashlane researchers examined the data for patterns, illuminating simple mistakes that continue to be made by people who use passwords in daily life, which is to say—virtually everyone. The Dashlane researchers found patterns across the keyboard, from not-so-randomly chosen letters and numbers to, popular brands and bands, and even passwords created out of apparent frustration.

A Decade of Passwords Trends

“It is difficult for humans to memorize unique passwords for the 150+ accounts the average person has,“ said Dr. Wang. “Inevitably, people reuse or slightly modify them, which is a dangerous practice. This danger has been amplified by the massive data breaches which have given attackers more effective tools for guessing and hacking passwords.”

“When striving to create the very best solutions, it is vital to understand the problems faced,” said Emmanuel Schalit, CEO at Dashlane. “The data obtained and analyzed by the Virginia Tech researchers is evidence of rampant password reuse, and Dashlane’s examination of this research shed new light on typical patterns and habits.”

Pervasive “Password Walking”

Dashlane researchers discovered a high frequency of passwords containing combinations of letters, numbers, and symbols that are adjacent to one another on the keyboard. This practice, known as “Password Walking,” highlights the apathetic attitude most users have towards password creation, preferring convenience over security.

When users “Password Walk” they are creating passwords that are far from secure. Most hackers are keenly aware of the human tendency to rely on convenience and can easily exploit these common passwords.

Problematic Passwords: Password Walking

Most are familiar with versions of “Password Walking,” such as “qwerty” and “123456”, but Dashlane’s researchers uncovered several other combinations that are frequently used:

  • 1q2w3e4r
  • 1qaz2wsx
  • 1qazxsw2
  • zaq12wsx
  • !qaz2wsx
  • 1qaz@wsx

These passwords are all comprised of keys on the left-hand side of standard keyboards. This means users can simply use the pinky or ring finger on their left hand to type their entire password. However convenient this may be, saving a few seconds is not worth the loss of one’s critical financial and/or personal data due to an account hack.

The prevalence of “Password Walking” is troubling and should make anyone using such passwords take another look at their password practices. Genuinely random and unique passwords are essential to password security; punching a bunch of adjacent characters will not cut it.

Love and Hate: A Tale of Two Passwords

Another recurring theme Dashlane researchers uncovered is a reliance on passwords related to love, as well as aggressive and vulgar language. Passionate language in either direction was more popular than more tepid or moderate expressions.

The ten most frequent love/hate-related passwords:

  1. iloveyou
  2. f*ckyou
  3. a**hole
  4. f*ckoff
  5. iloveme
  6. trustno1
  7. beautiful
  8. ihateyou
  9. bullsh*t
  10. lovelove

Most Recurrent Brands

Vices like Coca Cola and Skittles seep into all corners of life, even passwords. Some might argue that technology is a modern vice, with social networks and hardware also used frequently as passwords.

The ten most frequent brand-related passwords:

  1. myspace *experienced a major breach in 2016
  2. mustang
  3. linkedin *experienced a major breach in 2016
  4. ferrari
  5. playboy
  6. mercedes
  7. cocacola
  8. snickers
  9. corvette
  10. skittles

Music and Movies

Unsurprisingly, pop culture references were also prevalent. It would be wise to remember that using passwords that use names or common phrases is not a safe practice.

The ten most frequent pop culture passwords:

  1. superman
  2. pokemon
  3. slipknot
  4. starwars
  5. metallica
  6. nirvana
  7. blink182
  8. spiderman
  9. greenday
  10. rockstar 

Champions League Passwords

Lastly, as the world prepares for the Champions League Final this weekend, fans of the beautiful game should refrain from showing love for their favorite club in their passwords.

Dashlane found a plethora of sports-related terms in the dataset, but the following perennial Champions League football clubs showed up more than any other teams:

  1. liverpool
  2. chelsea
  3. arsenal
  4. barcelona
  5. manchester

Security Best Practices

Luckily, there are a few easy actions that everyone should take to improve their online security and minimize the likelihood that his or her passwords wind up in a dark web data trove:

  • Use a unique password for every online account
  • Generate passwords that exceed the minimum of 8 characters
  • Create passwords with a mix of case-sensitive letters, numbers, and special symbols
  • Avoid using passwords that contain common phrases, slang, places, or names
  • Use a password manager to help generate, store, and manage your passwords
  • Never use an unsecured Wi-Fi connection 

Methodology

Virginia Tech researchers led by Dr. Wang have collected a number of publicly available password datasets from the Internet in January 2017. The datasets were obtained from various online forums and data archives. The resulting 107 datasets (61.5 million passwords) allow the researchers to analyze how users reuse and modify their passwords across different online services. The analysis result shows that users are likely to simply modify their existing passwords to create new ones, and the modification patterns are highly predicable. The goal of this research is to provide a deeper understanding of how weak passwords are generated, and use the insights to drive the design of better password management tools. More details can be found at https://people.cs.vt.edu/gangwang/pass.pdf

Dashlane parsed the password dataset to find the most common case-insensitive substrings comprised of 7 or more characters.  They ranked the top 250 password substrings for each substring length before manually examining this smaller dataset to find the most prevalent patterns and themes. The “Password Walk” section of the analysis was automated with inspiration from https://github.com/Rich5/Keyboard-Walk-Generators