You may have thought “OpenSesame” was a pretty clever password when you set up your Wifi router, but it shouldn’t come as a surprise that it’s not the most secure choice for guarding access to your wireless network. But take heart: most people are just as bad at choosing decent passwords.
One of the new features of OpenSignal’s WifiMapper app is it allows users to share passwords for public and shared Wifi networks. The main purpose of the feature is to help WifiMapper users onto as many wireless networks as possible, but in the process we’ve gathered quite a lot of password data to analyze. We examined 5000 passwords and found that many followed some fairly predictable patterns. For instance the most common password was “123456789”, comprising 1.5 percent of the sample. Keep in mind, though, that these passwords are intended to be shared. Most of them come from businesses that freely distribute their passwords so their customers can access their networks, so we’re not claiming this sample is representative of every secured Wifi router. But we think it’s an interesting way to explore some of the most common password-naming conventions.
We decided to see how easy it would be to guess these passwords using ZXCVBN, a password-strength guage that picks out patterns rather than relying on brute-force password cracking methods (for more information on ZXCVBN check out Dropbox’s blog). For our experiment, we assumed a person using ZXCVBN methods could submit a password guess every five seconds, and then calculated the amount of time it would take to guess a particular password in our database. Here are the results:
The vertical axis shows the time in seconds it would take to guess a password correctly, assuming you follow the sequential rules. The horizontal axis ranks the 5000 WifiMapper passwords in the sample in order of difficulty of guessing correctly, zero being easiest to crack and 5000 being the hardest. We also included some examples of real passwords used in WifiMapper along with the corresponding time it would take to guess them correctly.
The password “password” has a time of zero. It can be guessed instantly since it’s the first one that should be tried. A more complicated word, such as “polar”, would take 7 hours, while a more complex one, “ecolands”, would take 5 years. That may seem like a long time, but remember we’re assuming a live person entering passwords manually. A program entering passwords at a rate of 1000 submissions per second could gain access in less than 9 hours.
But once we get to the final 1000 passwords in our sample, the curve rises steeply. The passwords essentially become unguessable because it would just take centuries to try all the different permutations. So of our sample, only 20 percent of the passwords can’t be hacked following the ZXCVBN method.
So what do these weak passwords have in common? They all follow patterns that makes them — to varying degrees — easy to guess. They use mainly lower-case letters and make heavy use of the alphabet, rather than numerals. Many of them are common short phrases, addresses, brand names or words straight out of the dictionary. Does that mean the only truly safe passwords are strings of random characters like the one used by the ‘winner’ in our sample? Not necessarily.
According to ZXCVBN’s creators some of the best passwords are in plain English (or German, Russian, Japanese, etc…), but they bring together random words that don’t form any intelligible phrase. The example Dropbox uses is “CorrectHorseBatteryStaple”. That’s a much easier password to memorize than say “^HStyeY36YU#WM” and by ZXCVBN rules it’s just as secure. A pattern detector needs a pattern to work, so while “OpenSesame” is a horrible password, “SesamePencilHiccup” is actually quite a good one.