What are the most common username-based password patterns?

Question

I know that there are some common passwords like hunter6 or Password. These are very insecure since everybody knows to try them first.

It is commonly thought that passwords derived from the username alone are also insecure. For instance, setting the password to the same as the username is often accepted a bad idea. Simple functions (eg the username backwards) would in theory also offer little added security - is there any research on which such functions for deriving a password based on the username are the most common?

You reminded me that Jeff Atwood made [some password stats in the past](https://blog.codinghorror.com/dictionary-attacks-101/), that probably includes a lot of SO/SE passwords. — grochmal, Sep 15 '16 at 00:14

score 3 · Answer 1 · answered Sep 15 '16 at 08:02

3

Username + Current Year

Username + Digit (any of 0-9)

Username + 123

Those are my top 3 determined from a 4000 stations login surveys in a large company.

answered Sep 15 '16 at 08:02

Overmind

8,779
3
19
28

And if the policy requires special characters, they will use a "!" as suffix. – mad_manny Sep 15 '16 at 13:26
Affirmative, or "*". But only the ones that understand that you have to press shift to type what's above the KB numbers. – Overmind Sep 16 '16 at 06:43

score 0 · Answer 2 · answered Sep 15 '16 at 08:28

Password security depends on how easy it is to guess. You can assign entropy to a password by doing some calculations technically a password 123456 is as good as 612435 just based on how many combinations with that alphabet exist. The only reason 123456 is less secure is due to psychological reasons: More people choose 123456 and attackers guess 123456 first.

The username/password patterns are mostly the same as common word patterns such as:

word, [ digit ] # Mostly either current year as 4 or 2 digits
                # But also just single digits or things like 321, 123

word, [ special character ] # Mostly underscores, question marks
                            # exclamation marks

digit, word     # Such as prefixing a word with a 0

If you were to answer my question analytically, you'd need an equation for "entropy given certain information", the certain information being username plus choice of function. — Superbest, Sep 15 '16 at 14:41

What are the most common username-based password patterns?

2 Answers2