SoylentNews is people
SoylentNews
49% of workers, when forced to update their password, reuse the same one with just a minor change:
A survey of 200 people conducted by security outfit HYPR has some alarming findings.
For instance, not only did 72% of users admit that they reused the same passwords in their personal life, but also 49% admitted that when forced to update their passwords in the workplace they reused the same one with a minor change.
Furthermore, many users were clearly relying upon their puny human memory to remember passwords (42% in the office, 35% in their personal lives) rather than something more reliable. This, no doubt, feeds users' tendency to choose weak, easy-to-crack passwords as well as reusing old passwords or making minor changes to existing ones.
What is so bad about changing "Password1" to "Password2"?
(Score: 2) by Osamabobama on Friday December 13 2019, @05:38PM (2 children)
The most plausible scenario where this would help is a password breach, where unencrypted passwords are revealed. This could be from a different site, where the same password is reused, or a single site, where the password table is cracked or otherwise revealed. Then the data gets into the hackers' hands...
Now, hypothetically, they are targeting you specifically (not just going through the whole list--for whatever reason). They don't get in on your old password, but they see an identifiable pattern, and iterate through the logical next steps. Alternatively, an automated tool cycles through passwords based on the pattern.
This attack vector needs unencrypted passwords, which should be hard to get because of hashing and salting and so on, but not every site is using best practices. Also, there are other threat models that get ignored when people concentrate on this one.
Disclaimer: I'm stretching the limits of my understanding of this subject by explaining this, so don't use me as a reference if it's important.
Appended to the end of comments you post. Max: 120 chars.
(Score: 0) by Anonymous Coward on Friday December 13 2019, @06:11PM (1 child)
To see an identifiable pattern they'd need more than one old password.
(Score: 2) by stretch611 on Saturday December 14 2019, @12:54AM
Not necessarily...
It is possible at times to guess a pattern after seeing/knowing only one password.
I used to work somewhere that required monthly password resetting.
I used to take a single word and follow it with a 1 or 2 digit password. If someone sees password12, it does not take a rocket scientist to make an assumption that they will change it to password13 at the next reset, or another reasonable guess would be password01 if it is currently December. Back then we used to share passwords with our coworkers for various tasks... It was not unusual for people to use the same password followed by the numerical month.
After they banned passwords that only changed 1 or 2 digits/characters, I even topok the lazy step of changing my password from "March2007" to "April2007" to "May2007". I would truncate the longer months if necessary as well. Another case of easy to guess the identifiable pattern even if you only have one password.
Honestly, even then I knew how bad it was to use passwords like that... but I honestly didn't give a damn about the company I worked for then either. After I left, I didn't do the month/year passwords, but I still implemented the add 1 to the number or use the month as a number suffix to passwords.
I no longer am forced to change my password every month... and I have not had to do that in roughly 8 years. Since then, I use a offline password manager ( KeepassX [keepassx.org] ) I let it generate random passwords for me and I never change them. I never let the browser remember passwords or use a browser extension to fill them in for me simply because browsers are one of the biggest security risks on your computer.
Now with 5 covid vaccine shots/boosters altering my DNA :P