You’ve heard it all before and you’re probably sick of it. Password safety is an oft-drilled topic that easily enters one ear and oozes out the other, but we can’t emphasize this enough: settling for a weak password is like leaving all of your doors unlocked.
Just because you’ve never been robbed before doesn’t mean it’s safe to leave your doors unlocked, does it? It only takes one unforeseen incident to lose everything — and the same holds true for your email accounts, bank accounts, and whatever other accounts you hold dear.
Maybe one day we’ll move beyond usernames and passwords, but for now, it’s absolutely critical to strengthen your weak passwords. It takes very little effort, and trust me, you don’t want to be the one who loses everything but could’ve prevented it with a few simple tweaks.
The Worst Passwords of Last YearIt isn’t easy to determine the “worst passwords” being used because passwords are (hopefully) kept secret and hidden. However, a company called SplashData tallied up over 2 million leaked passwords, evaluated them, and compiled them into a ranking. Here’s what they found:
As you can see, these really are the worst of the worst. At this point, anyone who’s using one of the above (or anything close to one of the above) might as well not have a password at all. You wouldn’t believe how quickly a hacker could crack a password that simple!
Also, let’s be abundantly clear: If you think you’re safe because your password isn’t on that list, then you’re absolutely WRONG. These passwords are bad because they all share characteristics of easily-hacked passwords, and it’s possible that your own password does too.
So let’s take a look at why these are so terrible and what you can do to make sure your accounts are truly safe and sound.
1. The Obvious PasswordSeven of the worst offenders in that list are all variations on the same basic password: consecutive numbers. We see 1234, 12345, 123456, 1234567, 12345678, 123456789, and 1234567890. I’m positive we also would’ve seen 1, 12, and 123 in the list if most websites didn’t enforce a four-character minimum.
It’s clear that people are using this password (and its variations) because it’s super easy to type. Just run your fingers from left to right across the numbers! That’s why qwerty and qwertyuiop are on the list as well.
But passwords aren’t meant to be easy! A lot of people forget this for some reason. Using an obvious password — one that took you no time to devise — is just asking for someone to guess it. You might as well be using a lock that can be opened by any key.
2. The Default PasswordIt’s astounding that password is as widely used as it is. To be fair, a lot of devices come with that as the default password, but they also come with the expectation that the end user will at some point change that password to something more secure.
Unsurprisingly, it seems that a lot of folks are lazy and either refuse or forget to make that change. So, for example, even if your wireless network is properly set up, it would take zero effort to break in if you’re still using the default password.
Here’s the takeaway: whenever you get a new device or account and you’re given a default username and password — such as admin/admin or admin/password — do yourself a favor and change it immediately. Don’t delay.
3. The Short PasswordOne of the most important aspects of an unbreakable password is absolute length. Every additional character — whether it’s a letter, number, or symbol — expands the possibility space and makes your password exponentially harder to crack.
So in a sense, nothing is worse than a short password, and this is made evident when you look at the list of terrible passwords. (Only three of them have more than eight characters, and even eight characters is too short for real protection these days.) 1234 and solo are especially bad.
Make your passwords longer! Yes, even longer than what you’ve got. Wondering whether your password is long enough? It probably isn’t. Tack on a few more characters at the end. A lot of hackers rely on brute force, and this is a super-effective way to deter them.
4. The “No Numbers or Symbols” PasswordAll things considered, a longer password of only letters is usually better than a shorter password with letters, numbers, and symbols — but a longer password that incorporates letters, numbers, and symbols is certainly the strongest of the three.
The reason for this is that you want to maximize the number of possible choices for each character in your password. If you only use letters, that’s 26 possible choices per character. If you use letters, numbers, and symbols, that’s at least 46 possible choices per character — and that difference has an exponential impact.
So aywiresufzklthfrs is an okay password, ayw4r2s8f8kl43f2s is even better, and a!w4_2s8#8kl43f2% is the best. As you can see, none of the items in the worst passwords list have any symbols in them. Coincidence? Not at all.
5. The “L33T SP34K” PasswordIf you’re going to use numbers and symbols in your password, there is one caveat that you need to know about: if your password contains complete words, never make simple letter-to-number or letter-to-symbol substitutions for individual characters.
For example, if your password is cableCABLE, don’t replace the a with @, the l with 1, the A with 4, and the E with 3. You might think the resulting password — c@b1eC4BL3 — is a lot stronger than the original, but there’s a good chance it isn’t. (No, passw0rd is not any better than password.)
Password hackers know that people like doing this, so if one tries to break into your accounts, they’re going to try all of these substitutions anyway. Similarly, if your name is DANIEL and you set your password as D4N13L, it’s still pretty easy to guess.
6. The “Personal Info” PasswordWhile we’re on the subject of using your name in your password, there’s only one thing to say: DON’T! In fact, whenever you’re trying to come up with a new password, never include any personal details. A good password should have no relation to you whatsoever.
For example, it’s clear that a lot of people like football and baseball, both of which appear on the list. If you’re a big fan of either sport, it would be trivial to guess.
Of the many ways that a hacker can break your password, social engineering is one of the most effective. Nowadays, personal details are available all over the Web (especially on social networking profiles), and that kind of access makes it easier to guess weak passwords.
Instead, you may want to use one of these strong password generators that can create passwords based on your personality and interests.
7. The Pattern PasswordI’ll be the first to admit that I memorize all of my passwords through muscle memory, so whenever I need to come up with a new password for a new account, it’s always tempting for me to rely on some kind of pattern in the keyboard keys.
There’s nothing wrong with that if you do it properly. After all, muscle memory is a great way to memorize long, unwieldy passwords that are otherwise nonsensical. However, never resort to an overly simplistic pattern, like 1qaz2wsx, qwerty, or qwertyuiop.
This advice is definitely more important in situations that require a four-digit PIN — such as for ATMs or smartphone lock screens — since PINs have a much smaller possibility space than full passwords. Still, try to make sure your pattern passwords aren’t too obvious.
Good Passwords Aren’t Hard to MakeAs important as it is to eliminate weak passwords, it’s also crucial that you enable two-step verification on every account that supports it. Most bank accounts, email accounts, and online shopping accounts these days support two-step verification.
Furthermore, you should have a unique password for every single account you have. It sounds like that would be impossible to manage, but it’s effortless if you start using a password manager (which you really should if you aren’t already).
Lastly, strong passwords are only one piece of the online security puzzle. Be sure to build good security habits if you really want peace of mind in this chaotic online world.
What’s the worst password you’ve ever used? How diligent are you about using strong passwords? Do you use a password manager? Share your experiences with us in the comments below!