It is important to get into the habit of using unpredictable passwords.
On April 26th we saw numerous articles posted about a mega leak called COMB21 that is a compilation of password leaks published online for free in early 2021. This leak contained over 3.28 billion passwords with 2.18 billion email addresses meaning that this data contains at least one password history for many users. Researchers have also built a tool called PassGAN that analyzes this data and will learn password structure and changing habits of users and then guess the next passwords they will use.
This should serve as a reminder that you should not simply change a character or two when changing your password. For example having a number in your password that you increment or decrement with each password change is easily recognized by tools like these.
Examples include things like MyP@ssword1 changing to MyP@ssword2
I recommend using a short phrase for your unpredictable password, and use punctuation such as ‘I like Rubix’s cube 3-D’ which helps make it easier to remember.
And of course, never use the same password at more than one site or application and turn on Multifactor authentication everywhere it is available.
Some information on PassGAN: A deep learning approach for password Guessing
If you would like to read the research paper on the benefits of unpredictable passwords, let me know.
“Instead of relying on manual password analysis, PassGAN uses a Generative Adversarial Network (GAN) to autonomously learn the distribution of real passwords from actual password leaks, and to generate high-quality password guesses. Our experiments show that this approach is very promising. When we evaluated PassGAN on two large password datasets, we were able to surpass rule-based and state-of-the-art machine learning password guessing tools. However, in contrast with the other tools, PassGAN achieved this result without any a-priori knowledge on passwords or common password structures. Additionally, when we combined the output of PassGAN with the output of HashCat, we were able to match 51%-73% more passwords than with HashCat alone. “
Director of Security Services
Mainstream Technologies Inc.