- (Image: Geri Lavrov/Getty)
- 98472711-thumb-600x460-173833[1].jpg (68.89 KiB) Viewed 2246 times
David Aspinall of the University of Edinburgh and Mike Just of Glasgow Caledonian University, UK used real-world passwords from a leak in 2009 to see just how easy it is to guess a partial password. Crucially, some passwords are more common than others, and some letters crop up in certain positions more regularly than the rest.
For example, "a" was the second character in the leaked database's eight-letter passwords nearly 20 per cent of the time, while "password" was the most-used password. Putting these together, if I see you enter "s", "w" and "r" for the fourth, fifth and seventh letters of your password, I can take a pretty good guess at what the rest are.
Overall the pair found they could have guessed a 10-character password over 80 per cent of the time after watching just four partial password attempts. An attacker could easily gain this information by installing a keylogger on your computer or even just watching over your shoulder.
Aspinall and Just surveyed the major British banks, as well as banks in other countries that use partial passwords, and found that some were too reliant on the technique, using it in combination with other easy-to-spoof details like credit cards, birthdates and short PINs, or even with nothing else at all.
"Our guess is that a bank using something like a short PIN as the first level of authentication is hoping for some additional level of security from the partial passwords," says Just, who will present the research at the Financial Cryptography and Data Security conference in Okinawa, Japan, in April. "In these cases, I'd have a little concern."