The power of love and breached passwords

When analyzing breached passwords from the Specops database, we often turn up some surprising trends and insights. For example, the unexpected prevalence of the word “love” in passwords and its significance across different languages and cultures. We’ll take a look at this trend and the most common words used in password combinations are related to love.

Love-related password combinations

Specops Breached Password Protection has been regularly updated to include more than 4 billion passwords, available as a secure list in the cloud or stored locally in the customer’s environment. An in-depth analysis of 120 million passwords from the database revealed the following findings for password combinations:

• “Love” was the most common word
• The second most common word was “evil”
• There are twice as many instances of the word “freak” compared to “saint”.

More non-English leaked passwords were also added in this update. Some of the most common passwords in other languages were also related to love: “woaini” (I love you in Chinese), “älskling” (sweetheart in Swedish) or “kochanie” (loved one in Polish).

“One of the strengths of our password list is that it includes more than just English-language passwords,” said Lori Osterholm, former CTO at Specops Software. “Some of the most popular leaked passwords lists don’t support foreign-language words, like the Swedish word “älskling”, and organizations relying on such lists may be, unknowingly, increasing their risk factor.” 

Why are predictable passwords a problem?

“Widespread password-spraying and credential-stuffing attacks appear in the news every week,” Osterholm said. “If an IT admin wants to prevent hackers from gaining access to their environments through these attacks, a password deny list is a must. With today’s update, Specops continues to show why it’s a market leader for Active Directory. We are focused on making our password list a continuously-updated source of leaked passwords for people everywhere.”

Credential stuffing and password spraying attacks are two significant threats to user security in the digital landscape. Credential stuffing involves using lists of leaked usernames and passwords to attempt logins on various websites. If a user has reused a password across multiple sites, a successful attack can lead to unauthorized access to multiple accounts, resulting in data breaches, identity theft, and other forms of fraud. To protect against these risks, it is essential to use strong, unique passwords for each account and to implement additional security measures like multi-factor authentication. Solutions that continuously check and block the use of leaked passwords can also enhance account security.

Are compromised passwords lurking in your AD? Audit your AD with our free tool!

Scan your AD now

Password spraying attacks, on the other hand, involve trying a small set of commonly used passwords across a large number of user accounts. This method is effective because many users still opt for simple, easily guessable passwords. When an attacker successfully guesses a password, they can gain unauthorized access to the account, potentially leading to data breaches, unauthorized transactions, and further attacks within the network. To mitigate the risks of password spraying, organizations should implement strong password policies, use a password deny list, enable multi-factor authentication, monitor and analyze login attempts, and educate users on the importance of strong passwords and the dangers of using common or easily guessable passwords.

Find compromised passwords in your network today  

You can find how many of your passwords are already compromised with a read-only scan of your Active Directory from Specops Password Auditor. You’ll get a free customizable report on password-related vulnerabilities, including weak policies, breached passwords, and stale/inactive accounts. Download your free auditing tool here. 

Continuously scan for compromised passwords 

Specops Breached Password Protection works together with Specops Password Policy so that companies and organizations can block all passwords found on the password deny list, making it easy to comply with industry regulations, like NIST or Cyber Essentials. The service blocks end users from choosing compromised passwords (like the love-related ones mentioned in this post).

Our research team’s attack monitoring data collection systems update the service daily and ensure networks are protected from real world password attacks happening right now. The Breached Password Protection continuously scans your Active Directory for breached passwords and allows you to alert end users with customizable messaging that helps reduce calls to the service desk. 

Interested in seeing how this might work for your organization? Have questions on how you could adapt this for your needs? Contact us or see how it works with a demo or free trial.