The average Internet user regularly visits 25 different password-protected sites but uses only six different passwords. Of Internet users, 73 percent use the same password across multiple sites, 33 percent use the same password on every site and a shocking 47 percent use the same password on their bank website as they use elsewhere.
Why is this dangerous? If someone cracks your password at a fairly low-risk site, like Twitter, and you also use that password for your banking site, that hacker can quickly clean out your account without anyone being the wiser.
What are the most common passwords in use today? We actually know this, thanks to the number of breaches that occur every year. Hackers publish lists of passwords they’ve stolen from sites on the Internet, and security research firms study them.
According to SplashData.com, the most common password — no surprise — is "password." In second place is "123456," followed closely by "12345678." Also popular are "abc123," "qwerty" (on the same line of a keyboard) and "monkey." Rounding out the top 10 are "letmein," "dragon," "111111," and "baseball." Some newcomers this year are "jesus," "welcome," "ninja," "mustang" and the clever but overused "password1."
All of the aforementioned passwords can be breached in less than a second by a skilled hacker. If you are using any of them, I recommend that you put this article down and go change them. Right now.
The key to a strong password is length plus complexity. A six-character password can be cracked in 10 minutes if it is simply a string of lowercase letters. Add numbers and symbols, and it’ll take about two weeks to crack. A seven-character password with numbers and symbols will extend its life to about four years. An eight-character password will take over 400 years to crack. But even at eight characters, if you remove the complexity of numbers and symbols, the password could be cracked in about four days. So remember, length alone will not make a strong password. You need the added complexity of symbols and numbers.
Unfortunately, complex passwords are difficult to remember, and that’s why we end up with "password1," which is long, at nine characters, and complex, as it contains a number. But it will be cracked in seconds because it’s so popular.
I recommend using "passphrases." It’s perfectly acceptable on most websites to use sentences as your password. For example, "I love my bank password!" is an acceptable password for most banking sites and would be difficult to crack. And because it’s a full sentence, it’s easy to build site-aware context into it. For Twitter you can go with something like "My Twitter password is very strong!"
Some sites won’t allow full sentences as passwords. In those cases you can cram all the words together by removing the spaces ("MyTwitterpasswordisverystrong!") or use a truly random password and track it using a password repository program like Password Safe or LastPass.
I will also go against conventional wisdom and say that in many cases it’s fine to write down your passwords and put them on a sticky note at home. We’ve been preaching against this for years in our workplaces, but it’s less of a problem at home. It’s unlikely that a hacker from another country will break into your home and read your sticky note. I’d much rather have people using strong, complex passwords that they have to write down than poorly chosen, easy-to-crack passwords that they can remember.
———
Hawaiian Telcom Information Security Director Beau Monday is a local cybersecurity expert. Reach him at Beau.Monday@hawaiiantel.com.
