In this VMblog Q&A with Darren Siegel, Specops cybersecurity expert, we go over keyboard walk patterns and why they matter. Learn what they are, which ones are found most in compromised passwords, how they can be putting your organization at risk and what you can do about it.

Darren Siegel:  Keyboard walk patterns are simply a series of keys that are located next to each other on the user's keyboard. Basically, your fingers create a walking pattern to create the password or at least the base of the password then tack on numbers and symbols.  

While the passwords may appear to be strong since they're random letters and often meet password complexity requirements, it's an overused tactic you want end-users to avoid. When users "password walk," they still create well-known and easy to guess passwords that are easy for hackers and software to exploit.

VMblog:  So, what are the common walk patterns found in breached passwords? 

Siegel:  The Specops research team wanted to test the theory that these keyboard walks are prevalent in known breached passwords, so we used a common keyboard walk generator to generate keyboard walk patterns, which found that the top walk patterns found in compromised passwords were:

1.      Qwerty (found over 1 million times)

2.      qwert

3.      werty

4.      asdfg

5.      tress

6.      zxcvbnm

7.      drews

8.      qwertyuiop

9.      asdfgh

10.   vbnhb

Patterns for each of these layouts were then checked for occurrences within the 800 million compromised password data where the team only looked for patterns that included 5 characters or more.

Here's the article with our keyboard walk pattern research and analysis, which includes the walk patterns for German and French keyboard layouts as well.

VMblog:  What are the risks of end users having these walk patterns in their password? 

Siegel:  Keyboard walk patterns are another predictable password end-user behavior. Users like to choose passwords that are easy to remember, and simple keyboard walk patterns are not only easy to remember but also easy for the fingers to hit the keys for fast log on. Users then take these easy to remember patterns and simply tack on string of numbers and symbols to fit the basic password requirements.

This behavior is the first risk. Each time there is a password breach, it gives attackers access to more password compositions and patterns, which they will add to their extensive list of high-probability passwords. In brute force attacks, specifically dictionary attacks, attackers use this database of predictable passwords against various logins.

Another risk comes with password reuse-and not necessarily just across your organization's network. End users create these passwords with common patterns so they can easily remember them, and in turn there's a high probability they are using those same passwords for personal accounts. Now if any of those systems are breached, the user's password is breached across all of those systems.

VMblog:  Can you tell if end users are using these common patterns in their passwords? 

Siegel:  A lot of keyboard walk patterns found are in known compromised passwords, as the data above mentions so ideally, you'd be blocking these passwords from being used at all. The only way to check if they're currently in use is to audit your Active Directory.

With Specops Password Auditor you can do a read-only scan your AD for over 950 million unique compromised passwords, including walk patterns, plus 10+ other password vulnerabilities. It's a great way to see where your organization lands on password hygiene.

VMblog:  How can organizations stop users from using keyboard walk patterns and other common patterns in their passwords? 

Siegel:  Beside end-user education, it all boils down to what is allowed in your password policy settings. You can make manual adjustments to your policy, or you can deploy a tool like Specops Password Policy that enforces a stronger password policy with features like our custom dictionary that allows you to block the use of common keyboard combinations and sequences that make password easy to guess for hackers.

Future passwords will be checked against the dictionary lists, preventing users from selecting pattern-based passwords that are susceptible to dictionary attacks. The tool can also be used to block over 3 billion unique compromised passwords as well as other predictable patterns such as character substitutions, also known as leetspeak.

Specops Password Policy helps users create stronger passwords in Active Directory with dynamic, informative feedback at password change. This feedback is particularly useful in cutting back on helpdesk support for password change, as well as teaching sustainable password hygiene so end-users avoid common mistakes, like keyboard walk patterns, everywhere.

##