Report: Password Controls Actually Increase Crackability

Security firm finds that common password control methods mean half of all passwords now only follow a dozen common patterns

Past measures put in place to try and make passwords more secure may in fact have made them easier to crack, according to a new study.

Research by security firm Praetorian found that 50 percent of users’ passwords follow only 13 structures, making them easier to decypher by hackers. The study was based on an analysis of more than 34 million passwords released on the Internet from well-known hacks, including those on RockYou, LinkedIn and phpBB.

Password crack

online securityWebsites typically store passwords in an encrypted form using what’s called a hash function, making it practically impossible to discover the original password from the hash. These hashed passwords can, however, be cracked using tools that may take a variety of approaches, including formulating possible solutions based on combinations of dictionary words and numeric digits.

Such approaches can be time-consuming, but if an attacker knows the pattern likely to have been followed by the password, the crack becomes much simpler, according to Praetorian.

“The question for the attacker then becomes: What structure should be targeted first when attacking a set of hashes?” wrote Praetorian security engineer Julian Dunning in a blog post.

Dunning said the results of the analysis are “shocking” because the finding means the majority of passwords would be relatively easy to crack. “Commonalties in structure such as these allow attackers to predict what the structure of a user’s password will most likely be,” he wrote.


The structures that were uncovered seem to reflect the requirements users are typically given when generating a password – ironically, these requirements having been formulated in an effort to force users to use stronger passwords.

“When users are asked to provide a password that contains an uppercase letter, over 90 percent of the time it is put as the first character,” Dunning wrote. “When asked to use a digit, most users will put two digits at the end of their password (graduation year perhaps).”

This structure, a single capital letter at the beginning, followed by the password text and two digits, was the most common to have turned up in the analysis, followed by a password ending with four digits, one ending with a single digit and one ending with three digits.

He said developers should perhaps implement controls that block these popular structures, but admitted that “without an easy structure, users may find it difficult to remember their passwords”. A solution for users might be to rely on a password manager, which can manage a large number of unique, difficult-to-crack passwords.

A PayPal executive recently suggested that the use of subcutaneous or ingestible devices could help end reliance on passwords entirely.

Are you a security pro? Try our quiz!