How secure are your passwords?

With high-profile hacks and data breaches making the news every week, a lot of us are rethinking our own security, at work and at home. How difficult would it be for a hacker to guess your password?

Nowadays, cyber criminals don’t even have to guess. They use highly-advanced password-cracking software to try hundreds of thousands of passwords a second. What you might have thought was a super-clever and unbreakable password ten years ago could get cracked in a fraction of a second.

Of course, even password-cracking apps need to follow some kind of method. So the first passwords they are going to try are those that are known to be common. Did you know that 123456, the most common password, accounts for 0.6% of all passwords? That may not seem like much, but that means that even a bad hacker who manually tries to break into 20 accounts is likely to have success with one of them.

(Editor’s note: Don’t use 123456 as a password.)

Here’s the top ten most common (and bad) passwords:

Together, the above passwords account for about 1.6% of all passwords. If you don’t use any of them, give yourself a pat on the back. When you’re done, consider that any password ranking in the top 100,000 can be guessed in one second or less. So, instead of listing the rest of the top million, let’s talk about what not to do when creating a password.

Whenever you need to remember something, it’s easier if it has some meaning to you, or if follows some kind of pattern. Most of us create passwords that mean something to us. Our kids’ names and birthdays; Our favourite athlete or actor or movie or TV program. Personal information about our family members is not absolutely secure, because hackers can do research on you, but at least these passwords won’t be guessed by a random attack. The name of your favourite basketball player and their jersey number, however, is much more easily guessed, especially if the player is a star who plays for your local team. Likewise, a reference to a popular TV series like Game of Thrones or Grey’s Anatomy will probably get cracked in a millisecond.

Passwords based on patterns are very common, and easily hacked. Something like 1010101 is incredibly easy. So are abc123 and aeiou. Those are obvious alpha-numeric patterns. Other pattern-based passwords include things like qwerty and 1234qwer that rely on the placement of keys on a standard keyboard. You may think you’ve got the hackers beat because you use the password zaq1xsw2, but any vertical, horizontal or diagonal line along your keyboard is going to be near the top of the list of passwords tried by hackers, because they know how your mind works.

That’s the big question, isn’t it? Almost anything you would naturally think of would include words from the dictionary, dates and names. All of these are not great on their own, but there are ways to combine these that make your password more secure. Here are a few common guidelines:

Even if you’re able to come up with a secure password, the challenge is to have different secure passwords for each of your accounts. If hackers figure out your email password, that’s one thing, but if that same password is what you use to log on at work and for online banking, now you have a much larger problem.
Password manager apps are available that manage and encrypt all your passwords for you. Some of your favourite devices (e.g. Apple Keychain, Google Safe Lock) also have tools which will create, store and protect complex passwords for specific accounts. Your internet browser will often ask “do you want to save this password?”

These tools are definitely worth exploring if from a reputable source, although they’re not a good idea if you’re accessing the web from a shared device.

In addition to creating different complex passwords for your most secure log-ins, the use of multi-factor authentication is really important. Often called “Two-Factor Authentication”, this forces any potential hacker to authenticate the account from another source, e.g. a text message to your cellphone, to confirm that you truly intended to access your account from a specific device. If the authentication code is not received, then your name and password alone will not be enough for a hacker to access your account and it may be locked for your security. The majority of online providers, e.g. Amazon, Apple, Facebook, Financial Institutions etc. will strongly recommend, if not insist, that you switch on this feature and we couldn’t agree more.

Yes! Don’t forget to change your passwords from time to time – we recommend every 90 days. Sophisticated hackers will take their time to build a profile of you without your knowledge and might enter your accounts multiple times. The security of your password therefore degrades over time and the longer it is in place, the more likely it can be cracked by a hacker.

Don’t leave the front door open! The industry is doing its best to keep its customers safe whilst browsing, so follow their advice.