Keyboard Walks as Passwords…Millions of Hacker Gifts!
A keyboard walk is simply typing a set of convenient consecutive keys, like 1qaz. Then adding a second row like 2wsx to get to eight characters, 1qaz2wsx, giving you what you think is a secure password. If you want symbols for more strength, you can just hit uppercase to get !QAZ@WSX. But these walked passwords, like plain text passwords, are incredibly insecure and your accounts will be compromised. Let’s explore their use.
So how many people use keyboard walks?
The short answer, per our PitchFork database of billions of compromised records, is millions of people use them to create tens of millions of passwords. And the big no-no here is they conform to a pattern. So entropy, a lack of a pattern, and a rule of good passwords, goes out the window. Here’s one of the top keyboard walks found in PitchFork. The sheer numbers, almost 400K, makes hackers drool at getting a shot of finding other accounts linked to the usernames with the same keyboard walked passwords.
Why use them?
Because it’s easy to “let your fingers do the walking!” Sorry yellow pages, the Internet has replaced you. Keyboard walks are fast, easy to remember, uses letters, numbers, and or uppercase symbols. They also ace the password grade meter tests with flying colors, usually getting a score of 100%.
So who loves these mental algorithms? Well, besides hackers, who at times have hundreds of online accounts and need a fast way to get in and out, so do security professionals. Hackers are using quick access to multiple accounts to commit cyber crimes. Security pros, on the other hand, tasked with protecting us, are using quick retrieval passwords to manage access to hundreds of servers, devices, and test accounts. Both want their fingers to be able to fly at light speed across a keyboard. No need to waste any time looking up a password. Neither will use little yellow password sticky notes, like the rest of us, because many don’t even use pens anymore. It’s all about efficiently and speed. And of course, being cool!
So who are actually using them?
Hackers, as mentioned above, are for sure. Eugene Bogachev, a famous Russian hacker has used keyboard walks. This “clue” below was of interest to law enforcement because it obviously increases their probability of getting into his other accounts. The password zaqwsx? and its variants are a cyber print that points to Bogachev’s predictability and behavior.
PitchFork can see many security professionals at companies like Microsoft, Oracle, and VMware using the keyboard walk technique. Also seen are high-ranking military officers from all over the world. And since English keyboards are prevalent globally, many foreign government workers also let their fingers do the walking. So “keyboard walks” are an internationally used commodity.
As per his LinkedIn, this Oracle guy below is definitely a high technologist. Not good if he is compromised like the Manidant security guy a few weeks ago.
Our United States military likes to use keyboard walks.
Government’s are also putting their servers at risk.
So how insecure are keyboard walks?
Well, it’s all about the patterns, baby! Even though a keyboard has a finite number of keys, the possible number of total keyboard walks is probably in the zillions. But it’s not hard to manually list out the top 1000 sequential key combinations. But to really drill down on all keyboard walk possibilities, a keyboard generator can be used. These tools are used to brute force or crack accounts. The keyboard lists increase the probability of cracking the accounts. Employing them gives hackers and law enforcement a leg up for taking down their targets.
Password Razzie Awards
Our keyboard razzie award for “effort” goes to this 20 digit monster 1q2w3e4r5t6y7u8i9o0p. On the surface, it’s looks pretty gnarly. Upon a search in PitchFork, we only found a whopping 15,306 results. Really. No, really!
So even with some misplaced effort, some smart users have flunked the security test. But they really do have a cool looking password!
As we’ve seen with the billions of passwords in PitchFork, less than 5% of them have symbols with characters and numbers. That’s a pathetically small percentage and shows how the majority of the Internet still uses lousy plain text passwords. That’s our fault for being lazy and trying to simplify our life. But that’s a gift for adversarial nation states, terrorists, and hostage takers. It would be advisable for all corporate personnel to use a password of at least 8 characters, with no dictionary found words, including symbols, and unique to each and every online account.
Join Us. We are waiting for you!Sign Up Today!
We welcome you to our community where you can gather and share information on debts and issues which may have your life unsettled. Together we thrive!