We Are Fairly Predicable When It Comes To Passwords

And How We Don’t Trust Facebook Must Any More

Analysing Passwords

And How We Don’t Trust Facebook Must Any More

We did a bit of an analysis of hashing passwords last week, and asked our students a few questions around their password usage. Initially we asked them which company they trusted most for their on-line security. For them, it was Apple and Google that were the most trusted, with Twitter and Facebook trailing. Facebook, by far, has the lowest levels of trust:

I must say, that this survey was last Friday, and was BEFORE the announcement of the Facebook hack, so the results for Facebook are looking bad for trust.

When I asked them about the subject they were most looking forward to it in the module it was Blockchain, Tunnelling, IDS and Cryptocurrency:

And for the risk of a hack, students felt that they worried most about Google Mail being hacked (as it was often their core identity reset account):

For passwords, it was good to see that most have more than 11 characters (with a few at 8 and 9):

For two factor authentication most students identified that they had set this set up:

For their passwords, it was the name of someone in the family and a memorable place that came top for their password usage:

And when forced to put an uppercase letter, we see that many just put it at the start:

And the highest number said that they only used one uppercase letter:

And when putting a number into the password, most put it at the end:

And the majority of students only have between 2 and 5 passwords that they move between:

And when the change their password, there was a bit of a split, with the majority completely changing their password:

And for the changes in the password, many changed a “o” to a “0”:

If you are interested here is the lecture:

Conclusions

Unfortunately hashcat knows the typical human well. It knows that the major of people will have a single uppercase letter in their password, and will put it at the start. And that most users will put the numbers at the end. And that they will change and ‘o’ to a zero. It knows to target the eight character passwords first, and to pick off phrases. And so on.

So watch how eight character passwords are cracked in just a few minutes: