Common Passwords Black Hat Hackers Exploit and How to Avoid Them

Weak passwords are those that are easy to guess, either for a human or a computer. Passwords are weak if they are dictionary words, usernames, sports teams, birthdates, or patterns [1].

In today’s hyper-connected world, the rise in cyber-attacks is not just a tech concern, but a people concern. The most common way black hat hackers gain access to our information is through weak passwords. Having an obvious or easy-to-remember password like “iloveyou” makes life easy but it is what hackers love to exploit [2].

According to IS (Information Systems) decisions[3], a company that develops security software and Keeper[7], weak passwords are more vulnerable than ever in this age of AI, which significantly enhances attackers’ ability to crack them. Advanced machine learning algorithms can now analyze massive amounts of data to guess passwords rapidly through sophisticated versions of brute-force or dictionary attacks. By processing vast password databases, AI algorithms can predict and test commonly used passwords, phrases, or even passwords based on user behavior. For instance, an AI might recognize patterns such as “123456” or personal identifiers like birthdays, which are often used as passwords. 

Additionally, AI-powered tools can monitor data from compromised devices, even exploiting sound-based “side-channel” attacks where they can capture keystrokes through audio. This capability means even basic interactions like typing can unintentionally reveal sensitive information, allowing attackers to bypass traditional security measures[4].

According to the annual report by NordPass[5], below are some of most the commonly hacked passwords that you should avoid:

• 123456 
• password  
• qwerty 
• 111111 
• abc123  
• letmein 
• monkey  
• welcome  
• admin

Password lists like the above are often the first thing a hacker will try when they launch an attack using tools like “brute force” or “dictionary attacks.”

Why are these passwords hacked easily?

• Predictability: Hackers know that people tend to pick the path of least resistance. A lot of us re-use the same password across multiple accounts or choose ones that are basic and easy to recall. For example, In late 2023, NordPass found that over 23 million accounts worldwide used “123456” as a password. Similarly, the passwords “password,” “12345,” and “123456789” were also among the top passwords used, making millions of accounts vulnerable to cyber attacks. [5]

• Dictionary Attacks: These attacks involve automated tools trying millions of potential password combinations, often starting with the most common ones. Eg John the ripper, hashcat, hydra.During the 2012 LinkedIn data breach [8], hackers obtained encrypted passwords  from LinkedIn’s database. They then used a dictionary attack, attempting common words and phrases, to crack millions of passwords, ultimately exposing 6.5 million user accounts. Many of the passwords were common and weak, making them vulnerable to dictionary-based techniques.

• Brute Force Attacks: Hackers use tools that attempt every possible combination of letters, numbers, and symbols until they crack the password. Short, simple passwords get broken much faster. In 2016, hackers brute-forced the Yahoo password database and compromised over 500 million user accounts. This attack leveraged weak passwords and also allowed attackers to access other accounts where users used the same password across different platforms [9].

How to prevent weak password attacks

• Create Strong, unique passwords: A strong password is that, that hackers can’t guess with their automated tools. Below are the steps to follow inorder to create a strong and unique password.

• Use at least 12 characters: The longer the password, the harder it is to crack.
• Mix it up: Use a combination of upper and lower-case letters, numbers, and symbols.
• Avoid personal information: Don’t use easily accessible information like your name, birthdate, pet’s name, or  nickname 
• Use random words or phrases: Creating a passphrase  like “GeniusCyberArt99!” can be harder to crack while still being memorable for you.
• Enable Two-Factor Authentication (2FA)/ Multiple Factor Authentication (MFA)
• 2FA /MFA adds an extra layer of security by requiring a second/ more form of authentication, like a text message code or fingerprint, in addition to your password. Even if hackers somehow get your password, they won’t have access to the second factor. Turn on 2FA/ MFA wherever possible, especially on sensitive accounts like your email or banking[6].

• Leverage password managers

These generate and store complex passwords, so that you don’t have to remember all of them. Tools like LastPass, 1Password, and Bitwarden can help keep your accounts secure while simplifying the process.

• Don’t reuse passwords across multiple accounts

It might feel convenient to use the same password across accounts, but it’s a huge security risk. If hackers gain access to one account, they could potentially access all of your accounts. Make sure each account has its own unique, strong password.

• Regularly Update Your Passwords

This may seem tedious, but it’s important to update your passwords periodically. Hackers might collect stolen passwords over time from data breaches, and rotating your passwords every few months can help prevent them from accessing your accounts if your information is leaked.It is advisable to have your password changed every 3 months.

• Beware of phishing

Sometimes, even the strongest passwords can be compromised if you fall for a phishing attack. These are fake emails or websites that trick you into revealing your login information. Always double-check the source of any email that asks for personal information, and never click on suspicious links.

Conclusion

By creating stronger, unique passwords and utilizing tools like password managers and 2FA, you make yourself a much harder target for hackers. Password security might feel like an annoying task, but it’s one of the most effective ways to protect yourself online.

Always remember that hackers are looking for easy prey. Don’t let a weak password be a reason for your information to be compromised. Take a few extra steps now, and you’ll save yourself a world of trouble later.

Additionally, while passwords have long been a cornerstone of digital security, their future is uncertain. With the rise of AI and more strict regulations, the digital landscape is shifting towards more secure and user-friendly authentication methods like pass keys or biometrics. This evolution promises to enhance security while potentially alleviating the burden of password management for users, ushering in a new era of cybersecurity

References  

[1]https://www.sciencedirect.com/topics/computer-science/weak-password 

[2]https://marketrealist.com/what-is-the-most-common-online-password-in-the-world/ 

[3]https://www.isdecisions.com/en/blog/access-management/how-ai-makes-password-based-authentication-even-weaker-and-what-to-do-about-it

[4]https://blog.barracuda.com/2023/11/01/password-protection-agi-ai

[5]https://nordsecurity.com/press-area/nordpass-released-the-200-most-common-passwords-of-2023 

[6]https://blog.lastpass.com/posts/two-factor-authentication-what-it-is-why-you-need-it 

[7]https://www.keepersecurity.com/blog/2023/08/17/how-ai-can-crack-your-passwords/

[8]https://identitytheft.org/data-breach/linkedin/ 

[9]https://en.m.wikipedia.org/wiki/Yahoo_data_breaches 

Namatende Zainab

Created by Namatende Zainab as part of the Mentoring Programme

This document is strictly private, confidential and personal to its recipients and is the sole property of Lateral Connect and should not be copied, distributed or reproduced in whole or in part, nor passed to any third party without prior permission from Lateral Connect.