Bad password policies lead to bad passwords (video)

Very nice discussion between Steve Ragan ( and Martin Bos (TrustedSec) on why so many passwords still suck: it’s in the patterns we use! Policies at work and on sites we visit instill bad habits and then reinforce our bad habits – all while we think we’re being secure!


Years ago, I did a talk about how bad password policies were and how organizations needed to step up their game based on the advances that crackers  were making with GPU-based password cracking. Unfortunately, 5 or 6 years later, after I’d given that talk, the penetration tests that I go on and the web applications that I look at or assess or even use on a daily basis are still using the same short passwords… when you’re cracking 9 Billion passwords a second, 10 characters is short.

Martin Bos

Martin goes on to say that he hasn’t seen advances in enterprise and user environments that would spur better passwords in general.

We’ve still left up to the user to be able to make their own pattern for the password. So the patterns are really predictive.

The problem is that the rules that should be helping us create complex passwords (a healthy mix of upper/lower case letters, numbers, special characters) are actually resulting in predictability that is being exploited by hackers.

Martin’s suggestion to overcome this predictability is to check and restrict common topologies when confirming that a new password is valid. As an example, he points out that through years (and years) of school, we’ve been conditioned to put capital letters at the beginning of words. So, guess what happens when we are required to include a capital (upper case) character in a password? 9 times out of 10, it’s going to be the first character in our shiny new and regrettably, not-so-strong, password. Hackers are aware of their marks’ (that’s all of us!) weakness when it comes to patterns and they use them against us.

So, what can we do? Until our places of work and websites that we use step up to protect us from our own patterns, we’re going to have to have the initiative ourselves.

Get out of the pattern habit. A password manager is your best chance for having long (12 characters as a minimum) and strong (random) and unique (no reusing) passwords for each and every one of your online accounts. We recommend Sticky Password.

Funny you should ask… we did have something to say about patterns in an earlier post.