You’re Not Clever: Password Patterns Exposed

Maybe you were reluctant to get on the password manager bandwagon. Passwords are inherently dangerous. Storing them in the cloud, you worry about breaches, you worry about losing access, etc. So you devised a clever pattern you thought would help you weather the storm until we finally get rid of passwords forever.

Maybe your password is a common word, then the first few letters of the site name. Long enough to avoid being guessed via brute force, and complex enough as well.

And that’s worked well for you for the past few years. You’re sitting pretty and haven’t been breached in a widespread attack.

YET.

Here’s the thing — when you use a pattern approach, every breach puts you more at risk, exposing your pattern. So far the bad actors have only been brute forcing using the breach lists (that we know of). It’s only a matter of time, if they haven’t started already, that they start cross referencing your user accounts from the various breach lists to get a per-user password list. Once that happens, inspecting those subsets for patterns will be trivial, and they will own ALL of your accounts.

Get out now, while you can. MFA where possible, long phrases if MFA is not available, 16-character complexity when long phrases don’t work.

If you don’t trust cloud password managers, use something like Keepass, but keep multiple backups in a safe place in case of corruption.