November 21, 2013

10 Worst Password Ideas (As Seen In The Adobe Hack)


If you’re a registered Adobe client, change your passwords now. They have been stolen and published on the Internet, someone even made a crossword puzzle out of them. This is a good occasion to examine which passwords are better NOT to use.


A recent Adobe breach involved customers’ data theft and will definitely have long-term consequences. Initially, Adobe stated that the hack affected about 3 million users. It turned out that the leaked database contained about 150 million records; moreover, stored passwords are poorly protected and could be recovered in their original form in many cases. As a result, Facebook required affected users to change their password if they use the same password for the social network.

Using a single password for different online services is a serious security issue. Even worse, millions of users make the same mistake when inventing a new password. Let’s learn from these mistakes, taking the most popular passwords from the Adobe database as a recent example.

1.  “Password”, “qwerty” and “123456”

Astonishingly, these very obvious passwords still top the popular passwords list after all these years. In the Adobe database, password “123456” takes first place with over 2 million users out of 150 using it.  Second to it is the much more complicated password “123456789”, followed by the word “password” itself. 345 thousand users selected “password” as a password. Also popular was the keyboard sequence “qwerty” which holds 6th place.

2. Company or site name or its variations

You might think that login “John” and password “Facebook” are original. They are not. Of course, a service name might not be present in the dictionaries being used by hackers to bruteforce a password. However, an experienced hacker will definitely add such passwords to his database (as we’ve seen in the Adobe case). This principle is used in passwords ranked #4, #9, #15 and #16 in the Adobe top-100: “adobe123”, “photoshop”, “adobe1” and “macromedia”.

3. Name=Password and other hints

Even though other providers might encrypt stored passwords much better than Adobe did, it’s quite probable that a hacker will see accompanying fields in the database without extra effort. They have proven to be quite useful for password recovery. The fields in discussion are user name, email, password hint, etc.  The biggest hit is a password, which is exactly the same as a user name. Other “smart” tricks are quite impressive as well. Some people write their passwords down in a password hint field, or provide such obvious hints as “1 to 6” or “Last First”.

4. Obvious facts

Facebook is a favorite hacker tool. Having the email and user name of a victim, it’s very easy to make a Facebook search and solve such password hints as “dog”, “son’s name”, “birthday”, “work”, “mother’s maiden name”, “favorite band” and so on. About one third of all hints refer to family members and pets with an additional 15% quoting a password directly or almost directly.

If you discovered some letter and digit sequence, which is very easy to memorize, abandon it – it’s also convenient for hacking and most likely present in password dictionaries.

5. Simple sequences

It seems that letters or digit combinations are endless. However, people use this power in a very limited way. They have very strong “hints” in the form of the alphabet and keyboard in front of them. This way passwords like “abc123”, “00000”, “123321”, “asdfgh” and “1q2w3e4r” are born. If you discovered some letter and digit sequence, which is very easy to memorize, abandon it – it’s also convenient for hacking and most likely present in password dictionaries.

6. Basic words

According to various researchers, from one third to one half of all passwords are simple words from the dictionary and they typically belong to 10 thousand of the most frequently used words of a language. Modern computers are able to try 10,000 passwords in a few seconds, that’s why these passwords are totally unreliable. In the Adobe top list there are a lot of passwords of this kind: “sunshine”, “monkey”, “shadow”, “princess”, “dragon”, “welcome”, “jesus” “sex”, “god”.

7. Obvious modifications

To make dictionary-based bruteforce attacks harder, most services require users to set their password according to specific rules. For example: at least 6 characters, obligatory mixing of upper- and lower-case letters, plus digits and characters. As I wrote before, these measures are from the 20th century and we must reconsider them today, but users made their way around those requirements already. Most certainly the first letter will become the only uppercase, while most popular number-based modification is an addition of “1” at the end of the password.  In the Adobe database, these tricks are combined with obvious words, resulting in quite bad passwords like “adobe1” and “password1”. The most popular characters are exclamation marks and underscores.

8. Obvious modifications-2 (1337)

leetspeek Thanks to the “Hackers” movie and other pop culture artifacts, a wider audience is now aware of “hacker speak” LEET (1337), which features some letters being replaced by similarly looking numbers or characters and other basic modifications. Making such replacements seems to be a good idea and passwords like “H4X0R” or “$1NGL3” are looking impressive. Unfortunately, they are not much more complicated than the obvious “hacker” and “single”, because special password bruteforcing apps feature a so-called mutation engine, which tries all the obvious modifications on each dictionary word.

9. Energetic sentences

In the modern world, longer passwords are always better, thus a passphrase is considered a better protection than a password.  However, there are multiple exceptions – very short and extremely predictable phrases. On the Adobe top-100 you can find “letmein”, “fuckyou” and “iloveyou”. Nothing to add.

10 (en) Social security and other important numbers

Those passwords are harder to guess. However, hackers will definitely spend additional effort on finding such numbers, when they see a “my social security number” type of password hint. When combined with a user name, birthdate and other Facebook-provided data, a SSN is usable for identity theft, making this kind of password very easy to monetize.

Hors concours – identical passwords

We can’t find it in a single (Adobe’s) database, but this mistake is as popular as using “123456”. I am talking about using the same password for multiple online services. It’s quite obvious why it’s very bad. If your (adobe) password becomes known to hackers, they can try your email/password combination to all popular sites like Facebook/Gmail and compromise not one, but many of your accounts. According to a survey, conducted by B2B international for Kaspersky Lab, 6% of users use a single password for all of their accounts, while 33% use only a handful of passwords. If the Adobe site was amongst the ones they use, now those users are at risk of hacking into their entire digital life.

Obviously, all aforementioned mistakes are made because of one simple reason – today we typically use 5-10 online services and it’s very challenging to remember 5-10 unique and complicated passwords. Luckily, there is a simple technical solution for this problem.

Here is our solution:

  • Don’t use the same password for multiple sites.
  • Use long and strong passwords.
  • Check your password reliability using special services.
  • Use a special password manager to store all your passwords in an encrypted form and don’t waste your time trying to memorize all of them. This way you can have unique, extremely complicated and strong passwords for each site without the risk of forgetting any of them.