Chances are that you use lots of online services, each one asking you to create new passwords. If you’re like most people, you’re only going to have 1 or 2 that you remember. After all, there are a lot of different sites to log into! Why bother making a new one every time?
Unfortunately, it’s time for a bit of a reality check – passwords are the bottom line of security. No matter how secure a service is, an attacker can easily access your account if you use a bad password. This is critical to note for a number of reasons – for instance, an attacker with access to your email account can reset the passwords on services you use, locking you out. As a result, you could find yourself without access to your online banking, professional email and more.
In this post I’ll explain a common way accounts are hacked, what weak passwords look like, and what you can do.
Why this is Important
Simple software used to hack into people’s personal accounts, like their Facebook account, will launch brute-force attacks. A brute-force attack, in this context, is when an attacker systematically guesses your password until they get the right one. Many pieces of software exist to automatically check every possible combinations of letters, numbers and words until it figures your information out. The reason why so many services lock you out if you incorrectly enter your password a number of times is to prevent this type of attack! To emphasize the point, a lack of lock-out protection is how hackers were able to steal photos in the 2014 iCloud celebrity photo leaks. They scraped interviews with celebrities for key words and phrases like pet’s names and familiar streets, then used programs to guess their passwords.
Common Weak Passwords
Before guessing random combinations, good software will guess from a list of people’s most commonly-used passwords. Companies like SplashData determine that list by scraping information from some of the biggest data leaks, like the Ashley Madison Hack. Using this information, we can determine the most common passwords that people used, listed here:
- qwerty (if you’re curious about this one, look at the first 6 keys on your keyboard)
- p*ssy (let’s assume this one is about cats…)
A full list can be seen here. If your password is on this list, please try to come up with a better one! If anyone wants to gain access to your accounts, it will likely be trivial for them. Similarly, see below for a list of the most common 4-digit PINs (for iPhones, etcetera).
Source in image: Nick Berry of Data Genetics
Most modern phones only give you 10 guesses before starting to lock you out, but that’s enough to get into almost 25% of phones.
Keeping yourself secure is actually a relatively simple process. First of all, see how secure your average password is with an online tool, like www.howsecureismypassword.net. Then, consider implementing some of the following pieces of advice:
- Don’t re-use passwords. One great password is useless if someone knows it!
- Consider activating two-factor authentication (2FA) wherever possible. 2FA will occasionally use an emailed code or text message to confirm you are who you say you are.
- Try a password manager like 1Password. Password managers allow you to make complex passwords on the websites you use, while only having to remember one simple password yourself.
- Don’t needlessly share your password!
Well, that primer was a little longer than I was expecting to write. I hope you found it a useful starting point for protecting yourself!