Password Security

Security Breach: Top Cracked Passwords of 2019

By February 13, 2020 No Comments

TLDR: Be smart, use a password manager, and try our free automatic password audit tool to test your organization.

At the end of 2018 we gathered the password hashes we cracked throughout the year from our clients and compared common occurrences. We’ve done the same for the year 2019. How did we do as a society when it comes to password security? Not so great. There is quite a bit of room for improvement and we have a few ideas on how to do so.

(Please note any cracked password containing confidential information has been removed from the data set.)

Be smart.

Take a look at the graphs below. ‘password’ is the top base word for passwords. We can do better than this. Themes of 2019 include seasons and near-default terms like ‘cashier’ ‘welcome’ and ‘tr@ining’. Simple, short passwords filled with common base words don’t make the cut when it comes to password security.

Avoid using seasons, family, pet, business, position, and other commonly used words. A better option: think of a random sentence or longer phrase and then complicate it by taking out letters, adding numbers and special characters, and changing cases. Another resource for smarter passwords is NIST Special Publication 800-63B.

Top three base words for 2019: ‘password’ ‘summer’ and ‘p@ssword’.
Source: Silent Break Security, 2019.
‘Tr@ining’ ‘password’ and ‘Cashier123’ were the top cracked passwords for 2019. Two other forms of the word ‘password’ were in the top 10, ‘P@ssword12’ and ‘Pa55w0rd’.
Source: Silent Break Security, 2019.

Use a password manager.

Most organizations we come across have a password policy that requires a minimum of 8 characters. This just isn’t long enough. As exemplified by the graph below, even passwords with up to 14 characters are pretty easily cracked. With enough time and resources nearly any password hash can crack – but adding length removes you from the low-hanging fruit category.

Increased length and complexity begs the question, how on earth do you remember passwords? The answer: use a password manager. Use long, complex, randomly generated passwords for all accounts and save them in a password manager (like LastPass or PasswordState). All you have to remember is your one master password made out of a sentence or phrase you have altered to get into your manager.

Most passwords cracked in 2019 ranged in length between 7 and 14 characters; passwords containing only 8-10 characters were the most cracked. Source: Silent Break Security, 2019.
Complexity matters but it isn’t everything. A good mix of alphanumeric, special characters, and mixed cases definitely help, especially combined with length. Source: Silent Break Security, 2019.

Conduct regular password audits.

Whether big or small, every organization needs strong passwords. Good password policies combined with frequent password audits can give organizations real power in defending against adversaries.

The automatic password audit agent module in Silent Break Central gives detailed stats about user password usage, leaked passwords, duplicated passwords, and steps to improve overall password security. It is an on-prem agent that does not send password hash information to Silent Break or any other third party.

The best part: it’s free. No strings attached. It’s a little way we can give back to the community, and honestly, we just want the world to be more secure. Request your free automated password audit module on Silent Break Central today.

Here’s to another year – let’s make 2020 the most secure year yet!