Passwords are the keys to your kingdom. Your bank accounts, social sites, personal storage and medical records. Those strings of characters are far more important and critical than most people realize. Hackers and cybercriminals hunt, hack and buy databases of stored passwords to take over your digital life for their gain. Yet the general population, through the countless publicized hacks, still have not figured out they their passwords need to be stronger.
Internet webpages and services have to deal with a balance of usability and security. If their services are too hard or confusing to use, people don’t use it. If it’s too loose on the security the service and their users become a target. Unfortunately the security of each account is left to the account owner and most do not have the experience or knowledge on how important password creation is.
Here is a list that Splash Data compiles from the millions of passwords leaked through the public hacks. This list is from 2015 of the top 20 most popular passwords used from the 2 million sorted. People are stupid.
I went ahead and used a website How Secure Is My Password that checks a password and calculates how long it would take to crack.
1. 123456 – Instantly
2. password – Instantly
3. 12345678 – Instantly
4. qwerty – Instantly
5. 12345 – Instantly
6. 123456789 – Instantly
7. football – Instantly
8. 1234 – Instantly
9. 1234567 – Instantly
10. baseball – Instantly
11. welcome – Instantly
12. 1234567890 – Instantly
13. abc123 – Instantly
14. 111111 – Instantly
15. 1qaz2wsx – Instantly
16. dragon – Instantly
17. master – Instantly
18. monkey – Instantly
19. letmein – Instantly
20. login – three-hundred microseconds
Just by adding a few characters adds complexity to a password. For example password12345! jumps to 638,000 YEARS to crack. This does not mean passsword12345! is a smart choice for a password, only the mathematical challenge to force break it changes. It’s still easy to guess and probably resides in most password brute force dictionary files.
How do you create a better, stronger password?
- Length. The longer the better. Start using passphrases over single word strings.
- Do not use common phrases.
- Password hacks are not done by a person typing in and trying over and over. They run the hashed/encrypted passwords through huge dictionary files of common words, password combinations, phrases and quotes.
- May The Force Be With You – might be a good password for strength, but it’s as common as a blue sky and would be broken in seconds.
- My dog Sam likes to take walks in the park and swim – No one is going to guess that.
- Make sure you can remember it but not through simplicity.
- P@s$w0r82#$1L0g1N – Great password, hard to remember.
- My fingers are the road to my computer – Great password, easy to remember even though its’ longer.
- Studies show it’s easier to remember a phrase than a complex word because your brain stores the phrase as one item but the complex password will be broken up in to individual characters and harder to remember accurately.
Avoiding weak passwords and bad password management
A weak password consists of a few characteristics. One is that it’s easy to guess, common words and phrases. It’s not complex enough, password12345! may be mathematically more complex but it’s at the top of every dictionary list. Lastly it’s easy to figure out through social engineering.
Don’t use your name, kid’s names, street address, phone number, dates, etc…
Don’t use the same password on multiple sites
It’s OK to have hundreds of passwords, one for each site and application you use. That is as long as you have the right tools to help you manage it… that are not written down on Post-It Notes.
Services like 1Password and LastPass can be used to store and manage all your passwords. Those services will also analyze your existing passwords for strength checks, duplicate use and with some sites go and reset them for you automatically.
Enhance your authentication
Passwords are one part of the login process. Your username is generally the other part. As more breaches happen sites and services are offering extended authentication options to strengthen your account and data.
Two-Factor Authentication should be turned on wherever you can. This will enhance your account by extending the login process to require a second factor in addition to your password. If you password is compromised or lost, in theory, the hacker cannot access your account because they will need the second factor that you will have. In most cases it’s a text message sent to your phone each time you login.
However, two factor does not replace good password management as described above but will greatly improve your security by enabling it.
Start doing these now. Don’t wait until the next service gets hacked.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.