A new year is upon us, and millions of us are still using absolutely awful passwords. It doesn’t have to be that way. You’re going to make this year the year of excellent passwords and we’re going to show you how.
Do we know that you, personally, have terrible passwords? No. You might be one of the rare people that understands the importance of good password hygiene and actually implements a system to achieve that end (good for you). Do we know that the general population of people, in aggregate, use terrible passwords? Yes, yes we do.
How do we know this? Because there are companies that collect all the password dumps from all the data breaches that (rather unfortunately) occur each year and analyze the passwords. These password dumps usually include anywhere from hundreds of thousands to millions of passwords, and it is really easy to get a broad picture of the kind of passwords people are using (and how seriously, or not, they take password security).
One particular company, SplashData (makers of the SplashData personal password manager and the TeamID enterprise password management system), has been compiling and releasing lists of the most common passwords people use since 2011. Here are the lists from 2011, 2012, 2013, 2014, and 2015. While you could go review all the lists yourself, we’ve taken the liberty of posting up the top ten from each year side-by-side for you:
That’s right: the most popular passwords for the past five years are “password” and “123456”. None of the entries on this list are even attempts at good passwords, they’re just pure laziness. Worse yet, there is very little change over time. (Though it is interesting that dragons have overtaken monkeys over the course of five years.)
Given how many high profile data breaches there have been since 2011, you would think that you’d see at least a marginal creep towards better passwords. But clearly millions of people are still using passwords so trivial you don’t even need to use advanced tools to crack them; you could just guess them like you’re a overly-clever hacker in a poorly written ’90s TV show.
You might be looking at the lists and patting yourself on the back because you don’t use such absurdly simple passwords, but are your passwords truly better? Let’s review what makes for a good password before anyone starts congratulating themselves too heartily.
The rules for good password hygiene aren’t complicated, and they don’t change much over time. Nonetheless, very few people actually follow them faithfully. Here’s what makes a good password:
Length. Good passwords are long. As a general rule, the longer a password is, the more difficult it is to crack using brute force and dictionary methods (and it’s certainly harder to guess). You should always strive to overshoot the minimum password length. If the site says you need a password that is a minimum of six characters, make it longer.
Complexity. As a general rule, you should avoid simple words. Avoid dictionary words, place names, and proper nouns. Your middle name, your dog’s name, the name of a state, a popular musician, are all terrible password components as they are likely already in the tables and files password crackers would use. If you do use words like “dog”, “house”, or “blue” in your password you should use at least four of them in the same password, and in a way that decreases the chances it could be brute force attacked, like “MyDog$House!sBlue”.
Uniqueness. This is the big one, and the one most people trip up on. More important than simply having a good password is having a different password for every site you visit. You can have the best password in the world, a password so fantastic that it would take a super computer decades to crack it, but if a company’s entire system is compromised and hackers discover it, they know it, and they have access to any account you use it on.
We can’t emphasize this part enough. If you use the same password on multiple sites and one of those sites is compromised, a ne’er-do-well can log into any of those sites as you. If you’ve used the same password on multiple sites and that password is also the password you use for your email address, you’re in for a world of hurt. Not only can (and most likely will) your personal email be compromised, but attackers can then reset the password on any account you have. At that point you’ve pretty much given the attackers the proverbial keys to your house.
Now you’re likely scoffing at the idea that you could keep up with even the basic requirements we outlined above. A long, complex, and unique passwords for every site you visit? But there are so many sites! How could you possibly keep 100 different passwords all sorted out? This brings us to the next step in your password hygiene makeover: using a password manager.
Once upon a time, you might have had a few passwords to juggle in your brain. You kept track of your computer login at home and at work, maybe Amazon and eBay during the early rise of online shopping, and of course your bank login. With less than a handful of passwords, to recall it’s pretty easy to memorize some strong ones.
Those days, however, are long since gone. The proliferation of online services for everything from bill payment to shopping to product registration and software updates has ensured that even casual users have dozens upon dozens of logins and passwords to keep straight. In some cases it even numbers in the hundreds (I currently have over 300 logins/passwords in my personal collection). There is no way on earth anybody could keep track of hundreds of unique passwords. Heck, I know a few people who only have a couple, and still forget them occasionally. (“Let’s see, was it
monkey1? Or was there a capital M in monkey? Ugh, I’ll just reset it again.”)
In this day and age, a good password manager is vital. Password managers make short work of all the problems that plague modern password usage. Using a password manager like LastPass ensures that you can easily create, use, and recall long, strong, and unique passwords for every service you use. In fact, a good password manager will work on your computer and your phone, and will automatically log you into everything without you lifting a finger–so you never have to type a password again. It’s convenient and secure.
Given the number of logins we all need to keep track of, the frequency of data breeches, and the amount of problems that arise from reusing the same passwords (especially for sensitive sites), there is simply no excuse for not using a password manager to generate and store secure passwords. If you’re new to the concept of password managers or you have concerns about using totally cloud-based systems, check out your guide Why You Should Use a Password Manger and How to Get Started.
So you’ve installed a password manager and generated unique, complex passwords for every site you use. You’re a rockstar. But there is a final piece of the password security puzzle you should make a priority in the new year: two-factor authentication.
Two-factor authentication is simple: it merely means that you need two different types of authentication to log into a site. An account with a password has one-factor authentication: you only need the password to gain access. An account with two factor authentication requires two things: your password, and enter a 6 digit PIN the company sends to your phone. This makes it much harder for people to hack into your account. Even your password was released in a breach, they wouldn’t be able to log into your account, because they don’t have your phone.
Two-factor authentication is becoming common with banking web sites, large retailers (like Amazon), and, of course, with security-oriented sites and services like LastPass. If a service you use offers two-factor authentication, there is typically no reason not to take advantage of it. At the very minimum you need to be using two-factor authentication for any service whose compromise (like your bank or your password manager) would create serious hardship or risk of identity theft. Check out our guide to two-factor authentication for more info on how to set it up. It’s one of the best things you can do to keep your accounts safe.
Good password practices aren’t glamorous, but they are very necessary. Don’t let another year go by where you find yourself typing the exact same password for both your email login and your bank while thinking “Man, I really should stop using the same password for everything.” Next year, when yet another round of data breaches yields another laundry list of the worst passwords, you shouldn’t even feel a pang of worry. Because all your passwords will be squared away: long, complex, and unique.
Image credits: Automobile Italia.