top of page
Karen Simmons

User Password Behavior can be Exploited by Criminals

End users are at the source of every login. Companies can, and do, create mechanisms to encourage people to manage their credentials – requiring lengthy passwords, or passwords with special characters or digits. But humans, comfortable with repetition, follow patterns that fraudsters can recreate when testing for valid credentials.


Consumers reuse passwords, and bad actors capitalize on that

It’s well known that consumers reuse passwords. Our analysis of criminal behavior shows that they know that as well. For example, the credential stuffing attack against Company M showed nearly 10% of the successful passwords were also used successfully by miscreants at other sites (get the full case study document here). Consumers are also reluctant to change passwords. Less than half of Americans would update their password after knowing it was compromised in a data breach. You can read our in-depth report on credential and password reuse here.


Consumers change passwords in predictable ways

If your password policy requires it, consumers may take the time to create a strong password with numbers and special characters peppered throughout the character string. Or, they may simply append a digit or character like “!” to the end of their “default” password. More complicated passwords are more difficult to remember, and consumers may have strong passwords that they use across multiple sites. They may rely on one strong password that meets nearly all password policies and reuse that across several different logins.


Attackers mimic common user password changes to test password variants

This behavior is seen all across myNetWatchman data and across our live monitoring of credential stuffing activity, and we see this applied to both passwords and usernames. When a cred stuffer sees a username and password credential pair compromised in a data breach, and they see that the password is insecure (i.e. alpha characters only), they will absolutely use variations of this password when they attempt to use it in credential stuffing attacks.


Bad actors performing credential stuffing attacks are often sophisticated. They use bots or scripts to automate their attacks, including the use of tumbling and swapping techniques, which refers to making slight variations in a username and/or password. A seasoned attacker will do some research to ensure they know the specifics of the password policies of the organizations they are targeting with a credential stuffing attack. They will then plan and attempt variations of the compromised password with capital letters (often the first character of the password), numeric characters and special characters (often added at the end).


Here are just a few examples of what myNetWatchman sees when miscreants test passwords. Note the slight variations to the passwords. It’s unknown whether these variants were obtained through breach sets or were created by the bad actor. However, for each of these usernames, at least one of the password variations (in some cases more than one variation) was successful, allowing the bad actor access to the user’s account.

Password variations for Username 1

Password variations for Username 2

Password variations for Username 3

Password variations for Username 4

Tit@s1127

Tit@s1128

Titas1126

titas1126

titas1127

Titas1127

Titas11278

Titas1128

titas1128

Carol2002

carol2002

carol2002!

carol2002?

Carol2002@

carol2002$

Carol2002$

Carol20021

Carol2002123

MIlc_aeroger1

MILcaeroger-912

MILcaeroger1

MIlcaeroger1

milcaeroger1

Milcaeroger1

MILcaeroger1!

MILcaeroger123

Milcaeroger123

MILcaeroger345

MILcaeroger912!

Patyn3ta

patyn3ta

Patyn3ta*

patyneta

Patyneta*17

Patyneta*1703

patyneta123

Patyneta123

Patyneta2511

patyneta2511


myNetWatchman has been observing criminal behavior for more than 20 years. We see the bad actors testing password variations - incrementing numbers, changing case, adding special characters. And the miscreants are having success with these passwords, because they aren’t completely random. They are variations created from known habits of people creating and changing passwords.


AllCreds is myNetWatchman’s credential screening service that lets you check any credential, any time, to see if it has ever been used or tested by a criminal. Our proprietary data repository has over 30 billion compromised credential pairs and grows by 15 million new credential pairs daily.

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page