The latest report from infosec provider Praetorian suggests that when it comes to hacking a password, the sequence and consistency of the characters is just as important as the actual strength of the password itself.
Using a technique called a mask attack, attackers break a password down into their component elements such as upper case letters (u), lower case letters (l), digits (d) and symbols (s).
In their example, Praetorian used “Password1234” which when viewed in this system becomes “ullllllldddd”. This string of letters is known as a mask. Each letter in the chain denotes the character type (u= upper case).
Using this technique, Praetorian analysed nearly 35 million leaked passwords from various sources. What they found was surprising.
Of the 35 million analysed passwords, half of used the same 13 masks. This means that despite the millions of variants of characters, digits and symbols, in our passwords, as many as half of us are using a very limited selection of masks.
Naturally our predisposition for these certain masks makes our passwords much easier to hack. Not to mention that many people also use dictionary words and personally identifiable information in their passwords.
Why do we behave like this?
Praetorian posits that our preference masks is down to the way that we are informed to create strong passwords. A simple example of this would be to use a capital letter in the password. Conventional behavior leads us to use it at the start of a password and use symbols such as ‘!’ at the end.
How to improve your password safety.
The most important thing to do to help make your passwords more difficult to crack is to use an unusual mask. Don’t be tempted to start your password with a capital and insert your symbols and digits somewhere other than the end.
Password managers can also help you generate strong, long and random passwords that use a wide variety of masks.