Passwords are an important line of defense against cyberattacks, yet many people make it easy for hackers to crack them. Here are six mistakes that people often make when creating passwords.
Serious consequences can result from cracked passwords. Cybercriminals might use them to steal money or data from the compromised accounts. Or they might change the accounts’ passwords and use the hijacked accounts for other malicious activities such as installing malware or sending phishing emails.
While no one wants to have their passwords cracked, many people make it easy for cybercriminals to do so. Here are six mistakes that people often make when creating passwords:
Want a password that is extremely easy to crack? Create a password that consists of:
SplashData’s 100 worst passwords list is full of these types of passwords. In 2018, the company analyzed more than 5 million passwords leaked on the Internet to find the most predictable, easily crackable ones in use. All the examples listed above are on this list. On an average computer, it would take a cybercriminal only one second to crack each of these passwords using a brute-force password-cracking tool, with one exception. It would take 32 seconds to crack “aa123456”, which is still a very short amount of time.
While using your birthday, a family member’s birthday, or another memorable date makes a password easy to remember, it also makes it easier to crack. Hackers know people do this. With a little research, they often can learn their victims’ birthdates, anniversaries, and other special dates. If they cannot find the information on social media sites like Facebook or Twitter, they can search public records.
Although “1qaz2wsx” and “!@#$%^&*” might seem like random strings of characters, hackers know they are keyboard patterns. Hackers also know that people like to use keyboard patterns as passwords, so they check for them. In fact, “1qaz2wsx”, “!@#$%^&*”, “zxcvbnm”, and “querty” are all on SplashData’s 100 worst passwords list.
Short simple passwords are easier to remember than long complex ones, but they are also much easier to hack. For example, passwords such as “football”, “Donald”, “banana”, and “whatever” take only two seconds to crack using a brute-force password-cracking tool.
Short passwords are dangerous even if you use letter substitution, such as replacing the number “0” for the letter “o” or substituting the “@” sign for the letter “a”. It would still take only three seconds to hack the passwords “f00tball”, “D0n@ld”, “b@n@n@”, and “wh@tever”.
Longer passwords are cryptographically harder to break than shorter ones. However, the long complex passwords that you are supposed to create — that is, long passwords that include mixed-case letters, numbers, and symbols — are hard to remember. As a result, people resort to writing them down or reusing the same password. This is why the US National Institute of Standards and Technology recommends using “memorized secrets” — passphrases that are simple, long, and easy to remember.
For instance, instead of using “football”, you might use “fond of flying footballs”. This passphrase would take more than 10,000 centuries to crack. As this example shows, including spaces is a good practice to follow, assuming they are allowed. Besides making the passphrase easier to enter, spaces make the passphrase harder to hack. It would take 58 centuries to hack “fondofflyingfootballs”. Although not as good as 10,000 centuries, 58 centuries is still a very long time.
People have to remember numerous passwords for both business and personal accounts. With so many passwords to remember, people often use the same password for multiple accounts. In one survey, 60% of the 1,000 participants admitted doing so.
However, cybercriminals know people frequently reuse passwords, so they try cracked passwords on multiple accounts. For instance, they sometimes launch an automated credential stuffing attack in which distributed botnets try using compromised credentials on high-value websites. This testing is done slowly using many different IP addresses to avoid setting off alerts (e.g., three unsuccessful login attempts) that could expose the attack.
To make passwords easier to remember, some people add or delete characters from passwords they are using at other sites. For example, they might use the passwords “cheese”, “cheese001”, and “cheese002” for three different accounts. One research study found that about 20% of passwords are formed this way.
More important, the researchers were able to create an automated cross-site password-guessing tool by applying common password-transformation rules to compromised passwords. If they can create such a tool, chances are so can cybercriminals.