Password Formulas Don't Fool Hackers

Every time we write about passwords on Lifehacker, a few readers share their secret formula for creating passwords. According to Ryan Merchant, senior manager at the password manager Dashlane, those formulas are easy to hack.

Dashlane recently analysed 61 million passwords from years of large data breaches — passwords that are available to many security researchers, hackers, and even the public. Dashlane's biggest takeaway is that people aren't very original. Not even the ones using formulas.

Among the obvious common passwords like iloveyou, ferrari, and starwars, Dashlane found common formulas like "password walking," which involves hitting adjacent keys to create what might look random, but is in fact incredibly guessable. "Walking" passwords include 1q2w3e4r, zaq12wsx, and [email protected]. These are common enough that hackers might include them in "dictionary attacks" against random accounts.

Maybe, like one Lifehacker reader, you "use a formula based on the name of the website." You're still in danger, says Merchant: "If [a hacker] knows somebody's 'base password,' it's not that difficult to predict what the variations of that are going to be." Especially since hackers know the password requirements for each site. So when one of your formula passwords is exposed, they can all be exposed. If you just slap "tidder" at the end of your Reddit password, a hacker knows to add "koobecaf" to your Facebook password. Hackers can also guess which symbols you might replace with other symbols. letters and numbers might turn into punctuation marks. Changing every i to !, rebus style, won't fool them.

So please, give up your formula and use a password manager, which will create actually random passwords for you, then remember them so you never even have to learn them. You could use Dashlane; I personally like 1Password. We've listed our five favourite password managers here. I've even reviewed a newer, cuter option called RememBear.

You can't stop accounts from getting breached; that's up to the companies and organisations that store them. All you can do is contain the damage and make your passwords less guessable. The point of a password is to keep your data safe, not to make you feel clever.


Comments

    "You can't stop accounts from getting breached; that's up to the companies and organisations that store them."

    and

    "So please, give up your formula and use a password manager, which will create actually random passwords for you, then remember them so you never even have to learn them."

    So are you advocating to put all your passwords in the same location so when the password software / software architect is hacked, the hackers can receive all the passwords at one convenient location?

    How in reality is a password manager any safer than just using the same passoword for everything?

      For one, i trust (some) password managers more than people that roll their own authentication solutions (you never know if they are storing in clear text, or using vulnerable algorithms).

      Password managers often use end to end encryption. So all they store is the encrypted data. Only you can access it.

      I use Lastpass and if you forget your password they will refuse to help you because they cant.

      A little research on password managers does wonders.

      From the lastpass website:

      Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass.

        i respect your message, but my point is I have no way to confirm the end to end authentication. I have no real way to verify any password manager. I have no way to confirm when they tell me I can't be helped if I lose my password that it is because of authentication or they simply say that they can't help, or because they can't be bothered to open up a plain text log file and search.

          So in other words your sticking your fingers in your ears and going "LALALALA I DONT BELIEVE YOU"

            No, he / she is saying they don't have the tools, or the skills, to verify the company claim.
            You know who does have those skills? Hackers.

            Adobe claimed their passwords were secure. So did Yahoo. Those are just two companies that have been tested by hackers, and found wanting.

            I hope their accounts are secure. They have effectively painted a bullseye target on themselves, with their security claims. Any hacker who managed to crack their system would be (in)famous.

    I use a password manager and 2FA where I can. I never use my real date of birth on anything (except for a bank app) and all those secret questions have really weird answers. Do I feel safe? Nope, not in the least. But its also about convenience and what I'm willing to risk.

Join the discussion!

Trending Stories Right Now