Bad password habits are hard to break. In the olden days of the internet, many of us got used to repeating the same, easy-to-remember password on every site, so we’d never have to worry about getting locked out. And recent data suggests plenty of people have yet to learn better, even if the era of mass data leaks (bad) and ubiquitous password managers (good, provided you choose the right one).
The most common passwords are almost all terrible
There’s a lot we can say regarding good password hygiene, but let’s focus on some interesting new data from NordVPN. The company researched the most common passwords used in 2022, and the results are a bit depressing, if not unsurprising. By far, the most common of the bunch are “password,” with nearly five million uses, and “123456,” with 1.5 million. (Tack a “789″ on the end of that one, and you have the third most used password on Nord’s list.)
The full list of 200 passwords has plenty of winners, from “guest,” to “qwerty,” to my personal favourite, “fuckyou.” But it includes tons of combinations of common words and numbers as well. If you recognise any of your passwords on this list, it’s a good reminder to change it as soon as possible, of course. But you also need to think about creating stronger passwords generally (and finally getting a password manager).
Bad passwords can be broken in minutes (or less)
If you need some convincing, take a look at the “Time to Crack It” column. This is an estimation of how long it would take for a bad actor to break into an account only protected by this commonly used password. The timeframes differ based on the uniqueness of the password: “9136668099,” for example, takes roughly four days to crack according to Nord, likely because of the length and randomness of the numbers. However, most of the passwords on the list are crackable within hours, minutes, or seconds. If you have any accounts with “password” as a password, consider it instantly crackable.
The same holds true for passwords that have been released in a data leak. This is why you should never reuse passwords: If your password is easy to guess, or has been released onto the internet, hackers will try it against all the accounts they can think of. If you have the same password for both Instagram and your bank, and Instagram suffers a data breach, your bank account is no longer safe.
Don’t use personal info in your passwords
What’s even more interesting than the passwords themselves is the apparent inspiration behind them. Nord found a trend among the employees of wealthy companies to use references or hints to the company name in their password. While it might make your life easier when logging into your work email every morning, it also makes a hacker’s life easier: They’re going to try passwords related to your company or job first, because they know how common that practice is.
Consider the passwords you’ve made for your own accounts. Maybe you chose something you thought was unique to you, like your favourite sports team, your pet’s name, or your hometown. Well, bad actors can use that against you: If you’re at all online, it’s possible to learn about those interests from your socials, and test the most common combinations on your accounts: “R3dSoxf@n,” “Fid0th3dog” and “N3WY0rk100″ are all terrible passwords because of that vulnerability.
What makes a strong and unique password?
When it comes to making good passwords, don’t choose something that means anything to you. In fact, you don’t want something that means anything to anyone: The more obscure and/or random the password, the harder it will be for a computer to crack, and it’ll probably be impossible for a human to guess.
But that doesn’t mean you need to start mashing away at the keyboard every time you make a new password. One effective method to creating strong and unique passwords is to string together a few totally random words together. Use this ageing but still accurate xkcd comic’s take on the subject as a model: Cartoonist Randall Munroe demonstrates how a password like “Tr0ub4dor&3″ seems strong on the surface (a human would never guess it), but a computer could crack it fairly easily. Plus, it’s hard to remember. Connecting four random words is way harder for computers and humans alike to figure out, and you might have an easier time remembering it. Change some of the letters to characters, include an underscore or two, and you’ve got a strong password cooking.
Just get a password manager already
You can read more about creating memorable passwords that are strong and unique in our guide here. Honestly though, you really only need to remember one strong and unique password, because the rest of them should be locked away in a password manager. That removes the temptations to make any of these passwords memorable: The manager remembers them, so you don’t have to. They’ll even make the passwords for you!
Even good passwords don’t make your account secure
Passwords get too much attention anyway. You should also be coupling them with two-factor authentication on any account that supports it, preferably via an authentication app rather than a simple text message. If you have 2FA set up, a compromised password won’t be enough for hackers to break into your account: They’ll also need access to the code on your trusted device.
And soon, passkeys might replace the whole system altogether, if tech giants like Apple and Google get their way. Passkeys combine passwords and 2FA together into one secure system. You don’t come up a password; rather, your secondary device is the password, storing the secure passkey for you and only you to access. As long as you can authenticate yourself, you’re in. It’s a great concept, and could both simplify authentication and enhance its security. But seeing as so many of us are still using “password” for everything, we’re going to be a long time getting there.