It a great time to refresh those stale and potentially leaked passwords you’ve been hanging on to (and reusing!) for so long. In December 2018, we saw yet another huge data breach, this time at question-and-answer site Quora, with over 100 million user passwords said to have been leaked. If you haven’t already followed our advice for beating holiday season cybercriminals, let us offer you another opportunity to push yourself in the right direction. Thanks to partner, SentinelOne, we can easily identify weak passwords, by reviewing the 7 signs below.
Every year SplashData compile a list of the worst (i.e., most common) passwords. Here’s their top 25 for 2018; make sure yours isn’t in it!
1 123456 (Rank unchanged from last year)
2 password (Unchanged)
3 123456789 (Up 3)
4 12345678 (Down 1)
5 12345 (Unchanged)
6 111111 (New)
7 1234567 (Up 1)
8 sunshine (New)
9 qwerty (Down 5)
10 iloveyou (Unchanged)
11 princess (New)
12 admin (Down 1)
13 welcome (Down 1)
14 666666 (New)
15 abc123 (Unchanged)
16 football (Down 7)
17 123123 (Unchanged)
18 monkey (Down 5)
19 654321 (New)
20 !@#$%^&* (New)
21 charlie (New)
22 aa123456 (New)
23 donald (New)
24 password1 (New)
25 qwerty123 (New)
Batman, Spiderman, Supergirl and friends may be cool in some contexts, but not in passwords. Think of every superhero in popular culture, add some iconic movie characters like Neo and Trinity from the Matrix, Mr Spock and Captain Kirk from Star Trek, and you’ve still only got a couple of thousand words for hackers to add to their hash tables.
Ah, of course, but you added a number to it for extra security, right? In an analysis of over 10 million leaked passwords, nearly half a million were found to end with a number between 0 and 99. A decent password cracker can very easily append a number, or several thousand, to its dictionary of words or brute-force approach Regex to test for this and similar patterns are simple for hackers to construct and take only seconds to crack.
Birthdates are one of the things many naive users will instantly think of when creating a password, as it’s the simplest thing for almost everybody to remember. Unfortunately, it’s also information that is easily discovered by hackers. Many social media sites will require or encourage users to input their birthdate, and who doesn’t like getting lots of birthday cheers on Facebook?
In 2018, “whatever”, “blahblah” and “trustno1” were the 91st, 66th and 79th most popular passwords, respectively. Being original is incredibly hard, and password attackers are ready for society’s disenchanted!
This, too, isn’t as original as many people naively suppose. Reversing a word doesn’t improve the security of a weak password in the slightest, since it’s the easiest thing for a hacker to do in one line of code in almost every scripting and programming language ever invented.
What do the following random-looking passwords have in common, aside from being easily crackable?
Well, three things, actually. First, they are all in the top 100 most commonly used passwords for 2018; secondly, they are all based on keyboard patterns; thirdly they are all weak passwords!
What’s a good password length that will be both secure and memorable? Anything less than 10 characters is easy to crack. A 6-character password drawn from a 74-character characterset (upper & lower case, numerals and special characters) can be cracked in a mear 0.16 seconds:
And surprisingly, shorter isn’t necessarily more memorable. There are ways to remember even the longest passwords. Compare this difficult-to-remember 12 character string:
l7aHPQ9-*=[9)(
with this lengthy passphrase, which contains all the same special characters:
NotInA(1)Month=[31-Days]Of*Sundays*
A passphrase of 35 characters is far less likely to get brute-forced in anyone-round-here’s lifetime.
We often choose weak passwords because we can easily remember them and, once set, we tend not to change them because to do so is oh so inconvenient. And to take it a step further, the problematic reality is that we typically will use the same memorable password across multiple accounts or devices.
It’s in your best interest to always choose strong passwords that are long and use a variety of upper and lower-case alpha-numeric and special characters. And we beg you, please use different passwords across accounts and devices.
What a great segway into….changing your passwords often! The easiest way to both generate secure passwords and to save them so you don’t have to recall them from memory is to use a password manager. Luckily there are ample of resources to help you do so!
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout. If you’re looking to guest blog, please send an email here.
You can also find us on Twitter, Facebook, LinkedIn.