Every week, Rapid7 conducts penetration testing services for organizations that cracks hundreds—and sometimes thousands—of passwords. Our current password trove has more than 500,000 unique passwords that have been collected over the past two years. Where do these come from? Some of them come from Windows domain controllers and databases such as MySQL or Oracle; some of them are caught on the wire using Responder, and some are pulled out of memory with Mimikatz. In just the first two weeks of collecting passwords, the team gathered a new dataset of more than 100,000 passwords.

This blog is the first of our new password tips series, which has two goals: educate and entertain. First, we’ll look at what patterns emerge. Do people still typically put a capital letter in the first position? Do they often end with a 1 or an exclamation point? How long do they make their passwords? Do a lot of people use “l33t sp3@k” to make passwords harder to guess? (Spoiler: it doesn’t!) If penetration testers can make out these patterns and use them to our advantage, so can the malicious actors attacking your systems. I hope to help readers understand common usage patterns so they can use this information to create stronger policies and educate employees and peers through security awareness training on what makes a strong password.

Second, we’ll look at password choices for the fun of it. People create passwords expecting that no one else will ever see them; and because we need to remember passwords, we use things that are meaningful to us. About a year ago, there was a television commercial that showed a military general having to say his password out loud and it turned out to be ihatemyjob1. What topics, words, or phrases do people use as their secret keys, and what does this say about their interests (or dislikes)? Does that data show that people mention sports teams or celebrities? For example, how many people use their password to make a statement on Tom Brady or Lebron James? Do people use swears or obscene terms in their passwords? Do people include loved ones or favorite public personas? We’ll look at all of these things and offer analysis on what we find.

When I’m on a penetration test and I compromise a network or a domain due to a weak password, I often get the question, “How do I get my employees to use secure passwords without making it too much of a pain?” That’s a great question. We know that if we force people to use long and complex passwords like 8!NbOF6$MEaURrr8*A(s&5H06VAd8Y, there’s no way they are going to remember them. Instead, they will write it down somewhere where someone (like me) can find it. The honest answer is that eliminating the low-hanging fruit is the best option. That means get rid of the easily guessed passwords. I tell people that if they can eliminate three passwords from their systems, they will make life a lot harder for me—the pen tester—and also for malicious actors looking to compromise a system.

What are the three passwords to eliminate?

  1. Any version of “password”. Yes, this still happens—a lot. We do sometimes literally see “password”, but not as often as variations of it: Password, Password1, P@ssw0rd, password2018 and so on are one of the first things we pen testers will try when brute forcing access into a network.

  2. Any variant of your company name. It can be hard to come up with unique passwords, and your company’s name is understandably easy to remember. If I were pen testing Rapid7, I might try RapidSeven, rapid7, Rapid7!, R@p!d7, and so on. If there is a minimum password length requirement, people will often put the year at the end, so I’d bet on Rapid72018. You get the idea: Your company name might be easy to remember, but it’s also easy for pen testers to guess.

  3. The last item on my list is actually the one we see the most. Many password policies specify that passwords must be changed every 90 days, or roughly every three months. What else changes every three months? The season! Yep, one of the most common passwords we see is simply the season and the year. If I were to start a brute force attack against a network, I would start with Winter2018 for the password. Is that your password? If so, change it. And don’t just add ! to the end of it, as that’s what I’ll try next.

Eliminating these three passwords and their variations will make my job a lot harder. In future posts here, I’ll make sure to follow up with statistics and data on these passwords from systems along with other trends that we see. We’ll also talk about how you can do password audits on your own systems and what to look for.

What types of questions do you have about password usage? What analysis are you curious about? What kind of information would be helpful to you in hardening your systems and networks? Please post your comments and questions below!

Interested in more password research from Rapid7? Check out The Attacker’s Dictionary, research based on nearly a year’s worth of opportunistic credential scanning data collected from Heisenberg, Rapid7’s public-facing network of low-interaction honeypots.

[Research Report] The Attacker’s Dictionary: Auditing Criminal Credential Attacks

Read the Report