Why We Cannot be Trusted to Make Our Own Passwords

Let’s start this article off with a prediction. I’m going to predict that the last password you used had the number 1 in it? No, what about the number 2? If you answered yes then you're in the ~30% of people that use a tailing 1 or 2 in their passwords. What about letters, does your password include the letter e, the letter t? If it does then you’re also in the high percentage of people where e’s and t’s are their most used letters.

People are predictable. We follow patterns, schedules and do what we know and are comfortable with. There is already some great research out there on why we do the things we do. Whether it’s movement dynamics in crowds or looking at how we create traffic jams without a bottleneck. The real question, for us, comes down to how we can use these principles in computer security.

Passwords are one of the most intrinsic parts of our online lives. Some great teams, from Troy Hunt with Have I Been Pwned to the people at WPengine and their research on ten million passwords, have been doing great work in both correlating and analyzing the passwords we use day to day.  

Let’s take a step back and look back at our earlier prediction. Benford's law is a principle which defines that lower digits are more likely to be used over larger ones. From bus numbers to Twitter followers, we can see Benford's law put into practice in our day to day lives.

We can also see this in password security. In a study by WPengine of ten million passwords they concluded that the top three trailing numbers for passwords came down to 1 (23.84%), 2 (6.27%) and 3 (3.86%). This matches quite closely to the premise behind Benford's law.

Next we have letters. In a similar way to how Benford's law predicts the occurrence of numbers, frequency analysis can be used to predict the occurrence of letters. If we perform frequency analysis on the English language we can see that the most common letters are: e, t, and a.

Looking back at the WPengine research, and their ten most common password list, we can see that the letter e alone shows up in 60% of the passwords.

There is a great quote from Steve Davidson in his book The Crystal Ball that states: "Forecasting future events is often like searching for a black cat in an unlit room, that may not even be there."  This is the same for predicting passwords. All in all there are around: three quadrillion, twenty five trillion, nine hundred and eighty nine billion, sixty nine million, one hundred and forty three thousand and forty possible password permutations for an eight character password. That being the case, we’re probably not going to be guessing anyone’s full password any time soon.

We’re not going to give up there however. Even though it’s unlikely that someone's going to guess a password right off the bat there are still a plethora of ways that passwords can get compromised. This includes social engineering and OSInt to data breaches and password complexity.

The tried and tested advice still stands: create strong or random passwords, use a password manager (if that’s what works for you) and don’t make predictable passwords.