May 23rd 2018

Dashlane uncovers troubling password patterns

Virginia Tech and Dashlane analysis find risky, lazy passwords the norm

NEW YORK, US – 23 May, 2018: Dashlane, one of the world’s most trusted digital security companies, today announced the findings of an analysis of over 61 million passwords. The analysis was conducted with research provided by Dr. Gang Wang, an Assistant Professor in the Department of Computer Science at Virginia Tech.

The Virginia Tech project, described as “the first large-scale empirical analysis of password reuse and modification patterns…” resulted in a landmark research paper: “The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services.” Dr. Wang granted Dashlane’s Analytics Team access to the anonymised version of the 61.5 million passwords from the project so they could conduct further research into password trends.

Dashlane researchers examined the data for patterns, illuminating simple mistakes that continue to be made by people who use passwords in daily life, which is to say—virtually everyone. The Dashlane researchers found patterns across the keyboard, from not-so-randomly chosen letters and numbers to, popular brands and bands, and even passwords created out of apparent frustration.

It is difficult for humans to memorise unique passwords for the 150+ accounts the average person has,” said Dr. Wang. “Inevitably, people reuse or slightly modify them, which is a dangerous practice. This danger has been amplified by the massive data breaches which have given attackers more effective tools for guessing and hacking passwords.”

When striving to create the very best solutions, it is vital to understand the problems faced,” said Emmanuel Schalit, CEO at Dashlane. “The data obtained and analysed by the Virginia Tech researchers is evidence of rampant password reuse, and Dashlane’s examination of this research sheds new light on typical patterns and habits.”

For more information, including Dashlane’s extended analysis, go to: https://blog.dashlane.com/virginia-tech-passwords-study/

Pervasive “Password Walking”

Dashlane researchers discovered a high frequency of passwords containing combinations of letters, numbers, and symbols that are adjacent to one another on the keyboard. This practice, known as “Password Walking,” highlights the apathetic attitude most users have towards passwords, preferring convenience over security.

When users “Password Walk” they are creating passwords that are far from secure. Most hackers are keenly aware of the human tendency to rely on convenience and can easily exploit these common passwords.

Most are familiar with versions of “Password Walking,” such as “qwerty” and “123456”, but Dashlane’s researchers uncovered several other combinations that are frequently used:

These passwords are all comprised of keys on the left-hand side of standard keyboards. This means users can simply use the pinky or ring finger on their left hand to type their entire password. However convenient this may be, saving a few seconds is not worth the loss of one’s critical financial and/or personal data due to an account hack.

The prevalence of “Password Walking” is troubling and should make anyone using such passwords take another look at their password practices. Genuinely random and unique passwords are essential to password security; punching a bunch of adjacent characters will not cut it.

Love and Hate: A Tale of Two Passwords

Another recurring theme Dashlane researchers uncovered is a reliance on passwords related to love, as well as aggressive and vulgar language. Passionate language in either direction was more popular than more tepid or moderate expressions. The ten most frequent love/hate-related passwords:

  1. iloveyou
  2. f*ckyou
  3. a**hole
  4. f*ckoff
  5. iloveme
  6. trustno1
  7. beautiful
  8. ihateyou
  9. bullsh*t
  10. lovelove

Most Recurrent Brands

Vices like Coca Cola and Skittles seep into all corners of life, even passwords. Some might argue that technology is a modern vice, with social networks and hardware also used frequently as passwords. The ten most frequent brand-related passwords:

  1. myspace *experienced a major breach in 2016
  2. mustang
  3. linkedin *experienced a major breach in 2016
  4. ferrari
  5. playboy
  6. mercedes
  7. cocacola
  8. snickers
  9. corvette
  10. skittles

Music and Movies

Unsurprisingly, pop culture references were also prevalent. It would be wise to remember that using passwords that use names or common phrases is not a safe practice.  The ten most frequent pop culture passwords:

  1. superman
  2. pokemon
  3. slipknot
  4. starwars
  5. metallica
  6. nirvana
  7. blink182
  8. spiderman
  9. greenday
  10. rockstar

Champions League Passwords

Lastly, as the world prepares for the Champions League Final this weekend, fans of the beautiful game should refrain from showing love for their favorite club in their passwords. Dashlane found a plethora of sports-related terms in the dataset, but the following perennial Champions League football clubs showed up more than any other teams:

  1. liverpool
  2. chelsea
  3. arsenal
  4. barcelona
  5. manchester

Security Best Practices

Luckily, there are a few easy actions that everyone should take to improve their online security and minimise the likelihood that his or her passwords wind up in a dark web data trove:

  • Use a unique password for every online account
  • Generate passwords that exceed the minimum of 8 characters
  • Create passwords with a mix of case-sensitive letters, numbers, and special symbols
  • Avoid using passwords that contain common phrases, slang, places, or names
  • Use a password manager to help generate, store, and manage your passwords
  • Never use an unsecured Wi-Fi connection