Until biometric data becomes the standard method of personal identification, the use of passwords looks set to continue. User-generated security tokens have been a mainstay of the internet ever since the World Wide Web ushered in ecommerce websites and secure message boards. And to the enduring delight of fraudsters and cybercriminals, our imaginations haven’t kept pace with the evolution of online services.
It’s commonly assumed that ‘password’ is the most widely-used password. In fact, it only came fourth in a recent list published by the UK’s National Cyber Security Centre. Based on examining breached customer accounts around the world, they concluded ‘123456’, ‘12345678’ and ‘qwerty’ had become the three most popular strings for securing files, websites, and hardware. The rest of the NCSC’s top ten made equally dismal reading, featuring ‘password1’, ‘12345’, and ‘abc123’. Perhaps most shocking of all was how frequently these terms were used; ‘123456’ was associated with over 23 million hacked accounts.
In danger of defaulting
The popularity of these terms isn’t purely down to a lack of imagination among consumers. Commonly-used character strings are often used as convenient passwords when registering financial accounts, constructing an intranet or setting up a website’s CMS. Sadly, few people then bother replacing default passwords, exposing personal information to a high risk of being compromised. Modern brute force password-cracking algorithms attempt thousands of different strings per second, though it wouldn’t take them long to break the most obvious ones.
Once a criminal is able to access one user account, it’s easier to penetrate others – either by retrying the password that just worked, or using one compromised account to log into others. Default passwords crop up in places you might not expect, such as cloud-hosted portals for today’s legion of IoT devices. These generally connect to the internet through domestic broadband routers, which themselves represent a source of weakness. Replacing default passwords to wifi connections is uncommon, but replacing the router’s admin password (usually ‘admin’) is truly rare. Yet if someone hacks into the router, they can spy on every incoming or outgoing data packet, introduce malware, or browse through personal documents.
Replacing default passwords
Given the havoc caused by identity theft and financial fraud, replacing default passwords is essential. These are our tips for choosing a password even brute force algorithms would struggle to crack:
#1. Add extra characters.
A few years ago, it was calculated that an eight-character password would take a computer running an Intel Core i5 processor five hours to crack. Adding a ninth character took the processing time up to five days, while a tenth character required four months to crack. Few criminals would persevere that long.
#2. Mix letters and numbers.
The ideal password contains a blend of alphanumeric characters and symbols. With ten numbers, 26 letters, and a variable amount of symbols to play with, it’s possible to construct a password even a quantum computer might struggle to crack. Don’t forget to include upper and lowercase letters as well.
#3. Avoid obvious themes.
That NCSC report listed ‘blink182’, ‘superman’, and ‘cowboys1’ as common American passwords. A comic-loving Dallas-based rock fan might be surprised how easily someone could guess their passwords, simply by browsing publicly-visible online profiles and social media posts.\
#4. Make an offline list.
Given the hundreds of websites, interfaces, and portals requiring passwords, it’s impractical to remember so many unique character strings. Instead, make a list in a notepad, as a backup. Add personal reminders to bookmark bars – ‘MyPa55w0rd’ could be stored as ‘MyP numbers’, for example.
#5. Use a password manager.
Password managers help you keep track of your passwords so you can avoid clicking the dreaded ‘Forgot my password’ link. They also typically include password generator tools to help you add variety and additional security to your most important passwords like banking or other at-risk accounts.