One of my favourite parts of the new year is the best/worst lists of all the things that happened in the previous year. When it comes to passwords, the list definitely falls under “worst.”
A simple Google search for “2015 top passwords” returns a long list of blog articles like this one. From that article, here’s a sampling from the top of the list:
With cybersecurity becoming a regular topic in the news, it truly surprises me that ‘123456’ is still being used by anyone, anywhere. Not only is a short password easy for a computer to guess by just working its way through all the possible combinations, but common passwords like ‘qwerty’ and ‘pa$$word’ are compiled into lists that hackers can use effortlessly, guessing thousands of passwords without breaking a sweat. If you’re using a common or easy-to-remember password, there’s a very good chance it’s on one of those guess-lists.
Back in 2013 I wrote an entry on password strength which urged people to use a password manager. More recently I wrote another one on my personal blog saying the same things all over again. If you haven’t guessed it yet, that’s also what this post is about.
Why am I repeating myself? Because 123456 is still the #1 password out there!!
You might be thinking to yourself, “I’ll never be targeted. I’m not important enough, or well-known enough for someone to bother.” You’re wrong. Computers are amazing things. Imagine thousands, hundreds of thousands of computers with nothing better to do all day than wander around the internet trying combinations of emails and passwords. If they are lucky enough to find a combination that works somewhere, that’s noted and then that combination is tried everywhere — this is the key reason to use a unique password for every online service you use.
Interested in finding out if your email address (and maybe related password) were ever involved in a breach? Check out this site: haveibeenpwned.com (unaffiliated with Wave).
You need a strong, unique passwords for every site you register with — one that’s tricky to remember. (If you can remember it, there’s a really good chance a computer can guess it.)
For every site? Yes — a different password for each of them. Even sites containing non-sensitive data should be protected, because they are part of your online profile. With enough ‘trivial’ data about you, from a variety of sites, bad actors can begin to put together a reasonable picture of “you”. With those details, and through social engineering, it becomes easier to gain access to bigger, more important sites. Here’s a great example of what I’m talking about: A well-known security researcher had his Paypal account compromised with no “hacking” involved.
Is this scary? Yup. But being scary doesn’t make it untrue. This is the state of things in the world today.
Is it avoidable? You bet! With good password practices.
Enter the world of password management software and services. KeePass, 1Password, LastPass, etc. — a Google search for “password manager” will return loads of results. Read the reviews, check out the features, and pick one that works for you. Make full use of it — generate passwords with lots of complexity (special characters, numbers, mixed case) and plenty of length (I use at least 32 characters). Don’t worry: This doesn’t make it harder for you to log in. Quite the opposite! Once you get used to using these tools, a simple keystroke or button click and you’re logged into your favorite sites. Better passwords AND faster logins. Double win!
Hopefully you’re already using a password manager and your passwords are amazing. If not, I hope I’ve convinced you. See you again next year, and I bet 123456 is still top of the list, but hopefully not related to any accounts you own.
—Brian Masson, Wave's Information Security Officer