Stop using weak passwords! Millions use 123456 as password

A new study has revealed that despite numerous online breaches, users are still using weak passwords.  The study has shown that the situation isn’t getting better and users aren’t changing their habits online. Passwords are the cornerstone of online security and if your passwords aren’t strong, then you are building a house on sand.

A new study by the UK’s National Cyber Security Centre (NCSC) found that users are still having a problem with weak passwords. They found that the most widely used password by users for breached accounts was 123456.

Unfortunately, this isn’t new. Multiple studies have found this to be true.

These studies are performed because of the fact that so many breached password databases are leaked online. Hackers use these databases to create custom dictionaries that make their password cracking easier.

A good site to see this is Have I Been Pwned. This site keeps a database of all of the publicly available password database breaches. You can search your email address to see if any of your accounts have been breached. If you are using weak passwords on those accounts, then there is a good chance you have been breached. Security researchers use these breaches to gauge how well users are doing with their passwords.

The data isn’t promising.

What are weak passwords?

A password is your single best defense online from attackers. Human nature being what it is, people use passwords that are easy to remember for them. Weak passwords are those that follow what everyone else does. Examples are:

  • 123456
  • qwerty
  • password

In addition, a weak password is any password that is commonly found in a language dictionary. Any word, no matter how uncommon you think it is, can be cracked very quickly. Even adding numbers to it or changing letters like S to $ won’t help. These are still considered to be weak passwords.

How can you create strong passwords?

A secure password is one that is resistant to cracking by attackers. To have a secure password, we need to understand what makes a strong password. There are three elements that impact how strong a password is.

These are:

  • Password length
  • Password complexity
  • Password randomness

Password length is the number of character that the password contains. You can see this when sites require you to make passwords a certain length, usually 8 digits or longer.

Password complexity is what type of characters are used in the password. These can be a letter, both lower and upper case, numbers, and punctuation like !@#$%^&*(). There are 26 upper letters, 26 lower letters, 10 numbers, and around 30 usable keyboard punctuation characters. This gives us 92 possible characters to use in our passwords.

Password randomness is how unique your password is. Is your password on the list of most common passwords? Can it be found in a language dictionary? Using a word from a language other than English isn’t going to protect you. Hackers have already incorporated foreign languages into their cracking dictionaries. Is your password based on a word? Did you just change some letters to numbers? This also isn’t secure because password cracking software can take that into account. It can change all E letters to 3, L to 1, etc.

Here is the math behind a secure password.

There are 92 possible characters. For each digit we add, the number of passwords goes up exponentially.

2 digit password = 92 x 92 (92^2) = 8,464

3 digit password = 92 x 92 x 92 (92^3) = 778,688

5 digit password = 92 x 92 x 92 x 92 x 92 (92^5) = 6,590,815,232

7 digit password = 92 x 92 x 92 x 92 x 92 x 92 x 92 (92^7) = 55,784,660,123,648

By adding just a single digit, the number of possible passwords is greatly increased. But that is also because we are using all available letters, numbers, and characters.

A truly secure password would be completely random and at least 12 characters in length. Something like this – $8f9Fus8@ca

This password would be immune to cracking for the foreseeable password. But please, don’t use that one. That is just an example password.

Use both upper and lower letters, numbers, punctuation, and then make the password 12 or more characters. Don’t use words or derivatives of words.

Another technique is to use 4 or more random words together. For example:

horse carrot thermometer pipe

That password is 26 characters long. If you added a number, capitalized one of the letters, and added a special character, you would have a very strong password. Its also a lot easier to remember.

What about a password manager?

The best option is to use a password manager like LastPass. LastPass will generate completely random passwords for you for each site you visit. This is also an important part of password security – using a unique password for every site.

An attacker probably doesn’t want your fantasy football league password but if you reuse passwords, then the attacker has a good chance of breaking into other accounts.

We have a complete guide on how to use LastPass that you can read here.

Have a look at our cartoon for a humorous take on this very serious issue.