• ctownsendeqc762

Executive Summary: COMMON PASSWORDS

Marina Tovar, Keanna Grelicha, Counterintelligence and Cyber (CICYBER) Team

Week of Monday, December 6, 2021

Password Strength[1]

NordPass, a password management services enterprise, issued a report in 2021 on the “Top 200 most secure passwords.”[2] The NordPass report included a list of the most common passwords and the time a hacker would take to decipher them.[3] Roughly 20% of the passwords from companies evaluated were the same name as the company or variations with numbers or years.[4] Users almost certainly use similar passwords to remember them more easily. Remembering multiple passwords could very likely lead to using one "case-sensitive password" and different variations of the password. A case-sensitive password could likely contain variations in upper or lower cases so that the user can use one single password in several different ways for different accounts. Hackers could very likely access more accounts with similar passwords across multiple sites by testing the same passwords with the usernames found. Hackers could likely use methods like brute-force or dictionary search to decode the passwords of various accounts to obtain the correct one.[5] Once hackers have access to the account, the insecure networks are very likely to allow hackers to access company or individual systems to reach the data. Despite the system detecting a password attack, a breach on other systems could very likely occur if the hackers gained access to more networks through the targeted individuals’ connections.

Passwords like “1234567,” “qwerty,” or “password” are the most common passwords users select.[6] These passwords are the easiest to decipher, taking between one and two seconds.[7] Shorter and more common passwords almost certainly increase a hacker's chances of decoding them. Weak passwords and decreased firewall detection measures almost certainly allow for initial entry into the network. Users very likely use the same or variations of a password for their accounts on different social media platforms or websites. Users very likely have the same password because of insufficient memory or belief of not being at risk. Using similar passwords very likely allows hackers to easily access the user’s other accounts. If a hacker can breach one account and find other sites with the same username, testing the same password first is very likely to work as roughly 60% of users reuse passwords across multiple sites.[8] More accounts being vulnerable to attacks could very likely increase the threat of identity fraud or theft as more data and sensitive information would be available.

A password decoder is a tool that aids cracker specialists or hackers to gain access to resources without accessing upper privileges.[9] Methodologies like brute-force and dictionary search are very likely complementary methods to access the password before or after using a decoder. Brute-force methods try all possible letter, number, and symbol combinations to find the desired password.[10] Brute-force methods are likely to be effective, but their speed and success will almost certainly depend on the password’s strength or if the account has features to lock after failed login attempts. Dictionary search is a type of brute-force attack where the hacker attempts to decode the password with a “dictionary list” of common words.[11] Dictionary attacks could very likely use social engineering techniques to gather information about the target. As passwords are almost certainly composed of words or phrases the user can easily remember, social engineering techniques would likely allow the hacker to gather the target’s preferences to decode their password. These techniques could very likely include tools like ad marketing and email links to collect data about the target that could likely be part of the password.

Kaseya, a software company based in the US, reported that 60% of a company’s employees use the same password for both work and home related-applications.[12] An employee's lack of password security could almost certainly increase the likelihood of data breaches for a company if hackers test the same decoder on personal and company networks. Breaches to a company's network could very likely put clients and the business data and assets at risk of theft. Depending on the hacker, this could lead to a ransom demand in order to retrieve the contents. Due to data loss, companies will likely need to negotiate ransom deals or use their finances to allocate clients' reparations for damages and loss of sensitive information. The misuse of sensitive information could likely result in financial, reputational, or security damage to an individual, company, or industry. The financial burden almost certainly affects business operations as the company would likely need to employ resources to mitigate data loss and damages. The value of the company and customer trust would very likely decrease because of the company's perceived lack of security measures.

Password spray campaigns are brute-force attacks that use usernames and passwords to attempt logins or email scams as part of data breaches to steal information.[13] A password spray campaign on private and public industries would very likely affect several companies and clients associated with these industries because of connected operations. A data breach in the healthcare industry would cost around $7.13 million USD.[14] If systems are shut down or hacked by a third party, it could very likely halt medical transactions and treatment scheduling operations. Sensitive information being leaked from password attacks almost certainly poses a risk of theft, ransom, or fraud for the company and its clients. This breach in the healthcare industry could very likely escalate by targeting other accounts if hackers can manipulate the stolen data to decode medical history and records of individuals that could be used to gather data elsewhere, including where they work. With the connection of networks of different companies in the healthcare industry, using a password across accounts very likely makes them vulnerable to an attack as there is more information that can be tested to breach other personal accounts with the same username.

Users whose computer systems are connected to public critical infrastructures could very likely put their country at risk of attacks if hackers breach their networks, like what occurred in the US Colonial Pipeline attack.[15] Hackers attacked US critical infrastructure by accessing a virtual private network (VPN) after breaching an individual’s system who had work connections with the pipeline’s network.[16] The VPNs allow for remote connection between different systems, whether individual to company, or company to company, almost certainly posing a security threat to all parties involved. Depending on the targeted users’ country, hackers can likely use trends specific to culture, religion, and gender when attempting to breach passwords.[17] Accounts could very likely be breached because of passwords containing cultural references to national sports teams and lead to access to critical infrastructure networks if linked through VPNs.

Password managers create a secured list in an encrypted vault on the device.[18] To deter brute-force attacks, password managers almost certainly allow individuals to create complex and lengthy passwords for multiple accounts stored by a secure and brand name third-party to hold passwords for all sites. Having a password manager is almost certainly more secure than storing passwords and usernames directly on the web browser. With a hacked computer, the accounts are very likely accessible to log in as the computer would display the data on its screen. The password managers’ encryption almost certainly keeps the list of passwords secure as the hacker would need to access a decryption key to unlock the data rather than using a decoder with an online tool.

To decrease the number of data breaches, individuals and companies can implement policies to improve password security through training, enabling access privileges, and using single-sign-on software (SSO). Employee training could very likely benefit the company as it promotes personal safety and protection on company-related work. Training should include understanding password managers, implementing a 30-90 day password change, and using password dictionaries to know which words not to use. These measures would very likely increase accounts’ security as employees implement the knowledge they learn. Limiting access privileges and enabling multi-factor authentication on high-privileged and shared accounts would also very likely add a protective barrier on company data and assets. With the use of multiple and shared accounts by one user, companies could very likely use SSO with a multi-factor security measure to limit the number of accounts breached.

The Counterterrorism Group (CTG) and the Counterintelligence and Cyber (CICYBER) Team will continue to monitor and assess NordPass and other organizations’ developments of standard password reports that could provide insight on vulnerabilities leading to potential data breaches for individuals and companies. The CTG’s Worldwide Analysis of Threats, Crime, and Hazards (W.A.T.C.H.) Officers will remain vigilant to cyber threats related to password spray campaigns with brute-force by monitoring global events 24/7 and producing relevant reports. W.A.T.C.H. reports on these attacks will likely increase clients’ awareness of digital personal security.

The Counterterrorism Group (CTG) is a subdivision of the global consulting firm Paladin 7. CTG has a developed business acumen that proactively identifies and counteracts the threat of terrorism through intelligence and investigative products. Business development resources can now be accessed via the Counter Threat Center (CTC), emerging Fall 2021. The CTG produces W.A.T.C.H resources using daily threat intelligence, also designed to complement CTG specialty reports which utilize analytical and scenario-based planning. Innovation must accommodate political, financial, and cyber threats to maintain a level of business continuity, regardless of unplanned incidents that may take critical systems offline. To find out more about our products and services visit us at

[1]PassWord Strength” by WikiMedia Commons licensed under Public Domain

[2] Top 200 most common passwords, NordPass, November 2021,

[3] Ibid

[4] How weak passwords could put your organization at risk, TechRepublic, March 2021,

[5] Top 5 Online Password Decoder Tools, PureVPN,

[6] Top 200 most common passwords, NordPass, November 2021,

[7] Ibid

[8] 10 Facts About Passwords to See Before You Make Another One, ID Agent, July 2020,

[9] Top 5 Online Password Decoder Tools, PureVPN,

[10] Here are the most common passwords of 2021, is yours on the list?, The Next Web, November 2021,

[11] Brute Force and Dictionary Attacks, Rapid7,

[12] 10 Facts About Passwords to See Before You Make Another One, ID Agent, July 2020,

[13] Password Spraying Attack, OWASP,

[14] How weak passwords could put your organization at risk, TechRepublic, March 2021,

[15] Hackers Breached Colonial Pipeline Using Compromised Password, Bloomberg, June 2021,

[16] Ibid

[17] Here are the most common passwords of 2021, is yours on the list?, The Next Web, November 2021,

[18] Password Manager, Malwarebytes,