We’re all still pretty bad at passwords
So, what is your password?
No, don’t answer that. Really, please don’t. Partly because the whole point of a password should be that it’s a secret known only to you, but also because there’s increasing evidence that we’re still not much better at password security than we were last year.
Each year, SplashData (100-worst-passwords-top-50) puts out a report highlighting the worst — which is to say the least secure — passwords uncovered due to data breaches in that calendar year. 2018 has (sadly) been a bumper year for data breaches. That does have a minor upside, because companies are significantly more upfront about when they have some kind of data breach incident, but a much larger downside, because the results of their research are depressingly familiar reading if you’ve followed online security for any time at all.
So what were the top 10 worst passwords?
Well, if you’re using any of the following, stop it, right now:
- 10 – iloveyou
- 9 – qwerty
- 8 – sunshine
- 7 – 1234567
- 6 – 111111
- 5 – 12345
- 4 – 12345678
- 3 – 123456789
- 2 – password
- 1 – 123456
The worst password lists haven’t changed for years, because, ultimately, we all tend to use our computers to make our lives easier, and human beings are pretty hardwired to go for easy approaches. If it was just one hacker living somewhere on the planet manually typing in random passwords, that might work out OK, because the odds of that one dude hitting your account are going to be pretty low in a world of billions of online users.
The problem is that we’re not talking about facing off against one lone human with the same lazy traits as the rest of us. We’re talking about automated systems that approach the problem of cracking a password as simply a mathematical equation.
Easy to remember number sequences that just happen to be on the keyboard in line might seem like an elegant solution to remembering your passwords, but that also means they’re easy for miscreants to guess.
Not that they have to guess any more, because the vast majority of cracking attempts against password systems use automated approaches that can zip through every single dictionary word and keyboard number combination in a frighteningly short period of time.
This is also why using the same password across multiple sites, even if it isn’t “123456” or “password” is such a bad idea. Again, systems doing this kind of cracking will apply that password and email combination to as many services as it can hit in a few seconds, just to see what will work. All too often, it does, and suddenly you’re locked out of your email, buying sports cars in far eastern Russian bloc nations or finding your bank balance completely drained. Sometimes, while you sleep.
There’s a balance here, because nobody’s going to remember a 256 character password containing at least 50 different punctuation marks and at least one Japanese Hiragana character, but then, you really don’t have to. While it can seem as though the modern world is too complex with too many passwords to remember, you can use the approach of the crackers to help you. Which is not to say that you should counter-crack, but instead that you can use machine smarts, by way of a good password management application such as 1Password, Keepass or Dashlane to remember your passwords for you. They can generate complex passwords that you can often either paste or even auto-fill into services, and all you have to do is come up with a single, very strong password to keep those apps secure.
Yes, it’s a little bit of work to set up in the first place. But it’s a lot less work than recovering your finances, email, online social media accounts and everything else that could go wrong if you rely on a weak and common password like 123456.