In my last post I’ve stated that the login/password is not secure.
Maybe the problem resides not in the ‘technology’ but as many times on the human factor.
In fact, the main problem is not the login/password procedure, but the way you use it.
So, in order to study my customers passwords, I tried to create several simple rules to determine if the password used by them are easily crackable or not.
I have done this study using data from an hospital, and having a 400 user accounts.
Let me remind that although our software has several rules implemented for password management, we were asked to turn them down. This rules include:
- time validity
- minimum chars used
- time period for using the same password
- among others.
So, the rules I’ve come up with, are 10 very simple and common sense rules:
Rule 1: Verify if the users ever changed the password (12% didn’t, meaning that they still use the original random password assigned to them)
Rule 2: Verify that password is the same than login (4% use password=login)
Rule 3: Verify if the password is the Institution name (1%)
Rule 4: Verify that the password is the Application name (4%)
Rule 5: Verify if the password is the official employee number (14% use their official number, that is published in every institution document)
Rule 6: Verify if the password is between 1900 and 2009 (25% a year like password)
Rule 7: Verify that password is a 4 digit number, not like Rule 5 (5%)
Rule 8: Verify that password is the user first name (2%)
Rule 9: Verify that password is the user last name (1% use last name, although I haven’t tried maid name)
Rule 10: Verify if the password is a portuguese name (3% use Portuguese names, which I suppose to be children names, or wife/husband names)
This simple 10 rules, allowed me to crack 71% of a 400 user accounts password, meaning 284 user accounts.
I suppose that if I apply this rules to the same users on different applications, I would have got similar results, because the crackable passwords were personal data.
“Do you really think your health data is safe?”
Let´s ban login/password NOW!