In a world where digital literacy is accelerating fast, why do so many of us still use the simplest of passwords?
Security consultant Mark Burnett, through his site xato.net collated 10 million publicly dumped, leaked and published passwords over several years. The results show that the most common password is “12345678” followed the classic “password”.
“123456” and “qwerty” come in positions 3 and 4, with extremely un-random strings of numbers filling positions 5 to 9. The 10th most common password is somewhat surprisingly, “dragon”. Further down the list, “1qaz2wsx” might seem random, but it’s a common keyboard pattern that happens to be the 30th most common password. Take a look on your keyboard...
"Using the top 10 passwords, a hacker could, on average, guess 16 out of 1,000 passwords" - WP Engine
Typical security advice is to never use the same password more than once and change them regularly, at least every three months. That’s easier said than done.
Facebook, email, Twitter, Evernote, Spotify, Apple, countless membership sites, apps. I have absolutely no idea how many passwords I need to remember on a daily basis, so of course I use the same one repeatedly. I do have more than one, but as time goes on some websites and apps require you to change your password and others don’t. Some only allow alphanumeric characters while others insist on including a symbol such as % or #.
If you’re anything like me, you now have a list of passwords as long as your arm, all differing slightly from one another. For instance, an email password may be opt65eod661. After a month, I’m prompted to change it, so it becomes opt65eod662, but the password for my social networks remains opt65eod661. I then sign-up to beta test a new web service which requires at least one capital letter and at least one symbol in passwords, so I use oPt65e@d661. All of a sudden, I’ve got to keep track of three different passwords. As time goes on the problem gets worse and worse.
Many apps exist for tracking passwords. Alternatively you could use a “password vault” with one master password unlocking access to all your individual randomised passwords. Of course, your password for that vault had better be super secure. One option is Sticky Password Premium. Install it on all of your Windows, Android, and iOS devices, and it syncs data between all your devices automatically. If you can make do without cross-device syncing, you can use it for free.
As far as I’m concerned this is a problem that hasn’t yet been solved. I’m certainly impressed with Apple’s implementation of fingerprint security in the home button on recent iPhones, so perhaps fingerprint and/or eye sensors are the way forward. Perhaps we can look forward to a future of fingerprint access to a password vault?
While complexity and randomisation are important aspects to a secure password, the most important factor is length. Short passwords are much more likely to be words or patterns and easier for a computer to “guess” due to less combinations of possible passwords. A password of at least 10 characters is much harder for a computer to guess, assuming randomisation of course.
One method that while not totally random, can help to generate a more secure password is using acronyms. Using the first letter of each word in a memorable phrase or motto, interspersed with numbers and symbols. For example, “Det finnes ikke dårlig vær, bare d@rlig klær” easily becomes "dfidvbdk", and adding a number, a symbol and two capital letters into the mix, gives you the 9 character password “df1dV@bdK” with an easy way of remembering it.
Certainly not foolproof, but a lot more secure than "password". And before you ask, none of these examples are my own passwords!
When was the last time you changed your passwords?
Photo credit: Henning Mühlinghaus