A list of the most common passwords of 2017 shows little change from lists that came before it. According to the findings, “123456” topped the ranking, followed by “password,” “qwerty” and “12345.” A similar list compiled by Keeper Security the previous year found that nearly 17% of users safeguard their accounts with “123456.”
Hopefully, your own password security practices are more rigorous than these, but even conscientious computer users can make mistakes that leave them open to compromise. The risk isn’t that criminals are going to repeatedly visit a single website to crack into your account — most sites that house sensitive information cut off repeated access attempts, anyway. The bigger problem is when hackers download a user database and then methodically churn through login and password combinations to crack as many as they can. The dictionary-based and brute-force software they use is so good that experts say attackers can usually unlock more than half of the accounts in just a day or two.
Even the most security-minded people make some basic mistakes that leave them vulnerable. Here are three common mistakes you should stop making right away.
1. Don’t use the same password for multiple sites. More than 80% of internet users do this, according to Keeper Security, for obvious reasons of convenience. It’s not a serious problem for sites that don’t store personally identifiable information, financial or health care records — but you should never use similar passwords to safeguard sensitive information. Once criminals associate a decoded password with a username, they can use bots to visit hundreds of financial, government and health care websites to test those same credentials. If you slipped up and used the same password for online banking as you did for a free news site, you could be at their mercy.
2. Don’t use easily guessed substitutions. Many websites set rules for password security, such as requiring a certain length, a combination of upper and lower-case characters and special symbols. It’s possible to satisfy these rules with simple substitutions, such as “P@$$w0rd,” but you should avoid this temptation. Password cracking software is designed to test for these common swaps first, making your clever tactic a simple nuisance. A better technique is to use substitutions that aren’t obvious, such as “>” for the letter “a.”
3. Don’t base passwords on personal information. Avoid using your own name, names of family members, birth dates, street addresses, towns and even pet names in passwords. Attackers harvest this information from social networks and feed it into their cracking tools to generate likely password combinations.
So, what should you do? The best password security practice is to choose strings that are at least nine characters long and composed of random letters, numbers and symbols, such as “FH9y5*n0W.” There are many free websites — such as this one — that generate passwords for you using the criteria you specify. There are also many free password managers that store all your passwords in a secure vault so that you only have to remember one.
The National Institute of Standards and Technology’s recently updated digital identity guidelines also suggest using long, random word sequences for password security, such as “foamtortoisewisesocialseatlesson.” Some people find such strings easier to remember. Whatever tactics you use, the longer the password you create, the more difficult you make the job for the attacker.