Report: Password Controls Actually Increase Crackability

Past measures put in place to try and make passwords more secure may in fact have made them easier to crack, according to a new study.

Research by security firm Praetorian found that 50 percent of users’ passwords follow only 13 structures, making them easier to decypher by hackers. The study was based on an analysis of more than 34 million passwords released on the Internet from well-known hacks, including those on RockYou, LinkedIn and phpBB.

Password crack

Websites typically store passwords in an encrypted form using what’s called a hash function, making it practically impossible to discover the original password from the hash. These hashed passwords can, however, be cracked using tools that may take a variety of approaches, including formulating possible solutions based on combinations of dictionary words and numeric digits.

Such approaches can be time-consuming, but if an attacker knows the pattern likely to have been followed by the password, the crack becomes much simpler, according to Praetorian.

“The question for the attacker then becomes: What structure should be targeted first when attacking a set of hashes?” wrote Praetorian security engineer Julian Dunning in a blog post.

Dunning said the results of the analysis are “shocking” because the finding means the majority of passwords would be relatively easy to crack. “Commonalties in structure such as these allow attackers to predict what the structure of a user’s password will most likely be,” he wrote.


The structures that were uncovered seem to reflect the requirements users are typically given when generating a password – ironically, these requirements having been formulated in an effort to force users to use stronger passwords.

“When users are asked to provide a password that contains an uppercase letter, over 90 percent of the time it is put as the first character,” Dunning wrote. “When asked to use a digit, most users will put two digits at the end of their password (graduation year perhaps).”

This structure, a single capital letter at the beginning, followed by the password text and two digits, was the most common to have turned up in the analysis, followed by a password ending with four digits, one ending with a single digit and one ending with three digits.

He said developers should perhaps implement controls that block these popular structures, but admitted that “without an easy structure, users may find it difficult to remember their passwords”. A solution for users might be to rely on a password manager, which can manage a large number of unique, difficult-to-crack passwords.

A PayPal executive recently suggested that the use of subcutaneous or ingestible devices could help end reliance on passwords entirely.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Begins Probe Of Viasat Acquisition Of Inmarsat

British competition regulator the CMA, begins phase one investigation of $7.3 billion merger between Inmarsat…

8 hours ago

Cisco Admits ‘Security Incident’ After Breach Of Corporate Network

Yanluowang ransomware hackers claim credit for compromise of Cisco's corporate network in May, while Cisco…

9 hours ago

Google Seeks To Shame Apple Over RCS Refusal

Good luck convincing Tim. Google begins publicity campaign to pressure Aple into adopting the cross…

10 hours ago

Elon Musk Wants Staff Names Of Twitter’s Bot Counters

Fight with Twitter, sees Elon Musk's legal team requesting names of those employees who calculate…

12 hours ago

Former Twitter Executive Convicted Of Spying For Saudi Arabia

Spying scandal. Former Twitter executive found guilty in San Francisco courtroom of spying for Saudi…

16 hours ago

Meta Raises $10 Billion In Bond Offering

First ever bond offering sees Facebook parent Meta Platforms raise $10 billion, as it seeks…

17 hours ago