Blog The Rotten Fruit

The rotten fruit in the company

Study “Under the Hoodie” by Rapid7 shows the problems with passwords 


by Sascha Salzner, Marketing Manager, APIIDA AG

The summer has gone and we have arrived in Autumn_2019! Like every year, autumn is dedicated to the harvest. Apples, pears, plums, elderberries, cranberries and blackberries – everything is picked now. One of the top rules for harvesting: Rotten fruits must not end up in the baskets because their further processing or consumption can cause disease. You will certainly take care not to eat anything which is spoiled. This advice would also be good for other areas. For example, logging into company systems with passwords etc.


Study “Under the Hoodie” – The rotten fruit “Password”

Rapid7 published this new paper “Under the Hoodie”, which suggests that you are unlikely to be so cautious as to harm your business. The study collected data from 180 penetration testing engagements over a nine-month period between mid-September 2018 through the end of May 2019. Particularly worrying is the result of using “Passwords” and password management plays a central role. Password management continues to challenge even the most sophisticated IT security organizations – despite years of IT security training. Even today, the harvested fruits are often of insufficient quality or even completely rotten and spoiled. Rapid7 reports on the most effective methods which hackers can use to crack passwords.

The study shows that nearly three-quarters (73%) of engagements resulted in at least one compromised password. Of those, 60% were easily guessed passwords where the pen tester used generic password spraying, known defaults, and easily guessed organization-specific passwords. To the testers’ surprise, password cracking—the act of taking a list of password hashes and figuring out what passwords generate those hashes—made a surprisingly strong showing in this year’s survey. They also found that many of the cracked passwords could have been easily guessed with a little time.

One reason for this is that password management is similar in many companies: Passwords must include an uppercase letter, lowercase letter, a number, and special character, and change every 90 days, but such password restrictions tendto reduce password complexity. Humans will “play” this system and independently invent schemes like “Summer2019!” followed by “Autumn2019!” over and over again. Maybe you recognise this game yourself? Do you use one of these passwords?

New roads with new solutions

We at APIIDA think that companies should choose the path to a passwordless policy within the company. The danger of hacker attacks is considerably reduced and the rotten fruit is automatically sorted out if no one is using passwords. We have a suitable vehicle for this path: Our authentication solution APIIDA Mobile Authentication. The solution uses a smartphone app that establishes a direct, encrypted, and secure connection to the computer. The secure certificate-based authentication requires no internet connection. The identity is securely stored locally and encrypted on the smartphone. You no longer need passwords. FaceID or TouchID is sufficient for secure log in to your computer anytime and anywhere. In other words, APIIDA Mobile Authentication is the mature, good and usable (edible) fruit for your company.


For more information on the study, please visit