Our brains are pretty amazing when it comes to spotting patterns – like seeing shapes in clouds or recalling whole songs from just a snippet of lyrics. And when we talk about passwords, employees tend to lean towards systems and patterns that feel satisfying and easy to remember.

Even if it means bending the rules of the company's password policy a bit. Hackers are well aware of this tendency and have their own strategies to capitalize on the slip-ups that employees make (thanks to those password policies that give them some leeway).

Despite having all the modern tools and techniques, cracking passwords still boils down to a guessing game. Anything that hints at the structure of a password becomes quite handy for hackers.

So, let's dive into how these hackers make the most out of four of the most common password mishaps that employees tend to make, along with some tips to bolster your password security against these risks.

1. Starting with the Basics

When it comes to creating passwords, folks usually kick off with a simple base word. The issue is that this base word isn't usually random; it often has something to do with the person or the company they're associated with. Then, as time passes or resets happen, they make little tweaks to this base word to get around the default password history and complexity requirements. You know, stuff like capitalizing the first letter and throwing in a special character at the end.

Attackers aren't aiming to crack the toughest codes; they just want the weakest ones. They exploit these basic terms with dictionary attacks. These attacks involve using a list of common weak base terms and their typical modifications to guess passwords or decryption keys. It's all about playing on our tendency to go for the easy and familiar when crafting passwords.

In a 2023 report from millions of compromised passwords, what was the most common base term we found? You guessed it, 'password'. Now, in 2023, you'd think people would be stepping up their game, but the other top base terms were 'admin' and 'welcome.' Social media is a treasure trove for attackers who have their sights set on specific individuals. They can easily figure out birthdays, family names, pet names, and meaningful places.

2. Keeping It Short

Even if a password starts with a weak base term, a hacker might still need to sift through a bunch of possibilities. They resort to brute force tactics, where they rapidly cycle through potential password combinations until they find the right one.

Brute force attacks are a hit when it comes to short passwords, especially those starting with common base terms that feature in dictionary lists – a.k.a. hybrid attacks.

According to recent research, a whopping 88% of passwords used in live attacks on small businesses are 12 characters or less. Some organizations stick to even shorter passwords, like eight characters, in their server settings. And if an employee gets the chance to create a shorter password, they'll probably take it.

But a few well-placed special characters can transform a vulnerable password into a fortress against both dictionary and brute force attacks. Another trick to encourage longer passwords is length-based aging, where beefier passwords get a longer life before they expire.

3. Dancing on the Keyboard

When we talk about predictable passwords, our minds usually jump to common base words, short lengths, and lack of complexity. But don't overlook passwords that mimic the layout of a keyboard – they're just as foreseeable.

Take P)o9I*u7Y^ for instance. It might seem like a complex password, meeting the demands of many organizations' password rules. But if you look closely, all those characters are cozy neighbors on the keyboard, creating an easy-to-remember 'keyboard walk' for the user.

In a recent security report consisting of over 800 million compromised passwords, the most popular keyboard walk patterns were revealed. Just the 'qwerty' pattern alone popped up over a million times, proving how rampant these keyboard walks are.

Even though these patterns aren't actual words, hackers can still use them in dictionary attacks.

As always, attackers are ready to pounce on the predictability of employees. They know that 'lazy fingers' often take shortcuts on the keyboard when crafting passwords, so they toss these common keyboard walks into their list of likely passwords for dictionary attacks.

4. Playing the Repeat Game

Even strong passwords can go sour, especially if they get recycled across different apps and devices. Imagine an organization using a password manager that requires employees to only remember one super strong password.

But what if that password gets reused for Netflix, Facebook, and who knows what else? Those passwords could easily end up compromised through phishing attacks or other data breaches. Cracked passwords end up on the Internet for all to see.

According to Google, a whopping 65% of people reuse passwords. This explains why cybercriminals go to great lengths to swipe credential info and sell it online – because a stolen password from one site might be a golden ticket elsewhere.

So, how can organizations tackle these risks and keep employees from tripping up on passwords?

It's a four-pronged attack. First, you need a solid password policy to ensure that employees' passwords are robust from the get-go, which thwarts dictionary and brute force attacks that target common base terms, short passwords, and keyboard walk patterns. Second, ensure there are no work passwords being reused on other services like streaming movie sites, social media, or email accounts. Third, make sure everyone's rocking multi-factor authentication. Forth, implement a secure password vault for employees to use so they don't have to resort to using simple or predictable passwords.

Letting your web browser save your logins and passwords is NOT safe.

Click to Call or Email us today to schedule a meeting to discuss your cyber security needs.