People might think they’re getting better at creating passwords, but often-used tricks like adding the numeral 1 (fun fact: it’s the most common number at the end of passwords) can easily be bested by malicious bots and brute-force attacks.
Last month, security analyst Mark Burnett released 10 million leaked user names and passwords—most of them no longer active—that he collected with the intention of improving security research and practices. WP Engine, a hosting platform for WordPress sites, recently analyzed those passwords, along with 5 million others dumped on a Russian bitcoin forum in September, to derive some insights into people’s password habits.
Yes, “password,” first names, and the names of superheroes are all pretty common passwords. But the company also noticed something very unusual: Many people were using the same seemingly random strings of characters, which suggested those passwords weren’t random at all.
Looking down at their keyboards, WP Engine’s data analysis team realized people were following certain typing patterns to come up with passwords. “Qwerty,” for example, was the most popular keyboard pattern and second-most common password overall. A sample of the 20 most prevalent patterns, excluding sequential numbers, is below:
The last pattern—adgjmptw—stumped the analysts until they thought of another keypad: that of old-fashioned phones, where the number two correlates with the letters A, B, and C; 3 with D, E, and F; and so on. To type “adgjmptw” on an old cell phone, one essentially dials “23456789.”
“I think ‘adgjmptw’ is just one of many examples—and an especially nice one, given the novelty of how it’s chosen—of how we are, for the most part, predictably unimaginative when it comes to choosing passwords, despite a decade of warnings from password strength checkers during sign-ups,” a WP Engine spokesman tells Quartz. “We love shortcuts. And so do password crackers.”
Crafty, but it’s only a step up from “123456,” the most common password of the 15 million analyzed. At first glance, such keyboard patterns might seem secure. But they won’t be difficult to crack once bots are trained to look for these patterns or these phrases are added to a list of words that algorithms use to break into people’s accounts.
Now, once again, go change your passwords.