Unique Passwords and Where to Find Them
This year, the number sequence "123456" was again the most common password among English speaking users on the internet. Similarly, the password "abc123" and "password1", as well as the classical "iloveyou" should never be used. It takes attackers less than a second to guess these passwords.
Rank | Users | Password | Time to Guess |
1 | 24,230577 | 123456 | Less than a second |
2 | 8,012,567 | 123456789 | Less than a second |
3 | 3,993,346 | qwerty | Less than a second |
4 | 3,861,493 | password | Less than a second |
5 | 3,184,337 | 111111 | Less than a second |
... | ... | ... | ... |
20 | 994,142 | dragon | Less than a second |
53 | 496,596 | princess | Less than a second |
80 | 350,158 | superman | Less than a second |
86 | 331,610 | baseball | Less than a second |
This list of most common passwords was compiled by Troy Hunt, who runs the Have I Been Pwned service (https://haveibeenpwned.com/). It is based on the "Pwned Passwords" list (Version 7, November 19, 2020).
Why is My Account at Risk?
Attackers use dictionaries of common words or phrases and breached passwords to guess their way into your online account or network. "iloveyou" and other common passwords are often a combination of several words found in every dictionary or name list. Consequently, you should try to avoid using single words from a dictionary as your passwords. Instead, use a very long passphrase consisting of multiple words, such as "ILoveChocolate20IceCream."
Another dangerous threat to your account security is password reuse. Once the attacker successfully gets hold of one of your e-mail and password combinations, he will also try to access all the other accounts you might have with this combination. In most cases, they will also try small modifications (appending a digit, changing a word, adding a symbol) on your password. By using a unique password for each service, you avoid being successfully attacked.
How to Deal with All Those Passwords?
Your life will be much easier by using a password manager. Remembering a password will not be a problem anymore. They will suggest unique passwords when creating a new account and store them in an encrypted vault. Most modern web browsers (Chrome, Firefox, or Safari) already include a password manager and synchronize your credentials across all your devices. If you are willing to spend some money, third-party password managers like 1Password or LastPass offer more advanced features.
What Does It Take to Have Strong Passwords?
In order to create a secure password, use the following guidelines [1,2,3]:
● Long passwords (> 15 characters)
● Do not reuse the same or similar passwords
● Use a password manager to create and store your passwords
● Change your password in case of a security incident
● Enable two-factor authentication for important accounts (e-mail, banking)
We also recommend subscribing to Have I Been Pwned, a trusted service that automatically checks whether your e-mail address appears in a password breach and notifies you in that case.
https://haveibeenpwned.com/NotifyMe
Forget the Dragon
Password reuse is one of the biggest threats, so be wise and do not share your passwords across accounts. When creating a unique password, be sure it is long to make it strong. A password manager can help you with this task. Even better, it will memorize all your passwords. For your important accounts, consider enabling two-factor authentication. Please be smart and do not trust your precious accounts to an old-fashioned dragon, which is - by the way - No.20 on the most common password list.
About the authors
David Mödl knows your password.
Nicolas Kremmin studies information security to make the internet a safer place.
Felix Golla never has to ask for your Wifi Passsword.
References
[1] CMU - Information Security Office: How to Create Strong Passwords
www.cmu.edu/iso/aware/lockdown-your-login/strong-passwords.html
[2] CMU - Finally: A Usable and Secure Password Policy Backed by Science
www.cylab.cmu.edu/news/2020/10/20-passwordpolicy.html
[3] NIST Special Publication 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management: 5.1.1.2 Memorized Secret Verifiers
pages.nist.gov/800-63-3/sp800-63b.html
[4] FHWS - Strong Password Hints and Tips (German only)
itsc.fhws.de/das-itsc/it-sicherheit/
[5] FHWS - Guidelines for Information Security
informationssicherheit.fhws.de/informationssicherheit/guidelines-english/