What’s a Hackers Favorite Password?

Ever seen that meme with Steve Carrell from the TV show “The Office” proclaiming that he changed all his passwords to “incorrect” so that if he forgets his password his computer will remind him that his password is “incorrect”?

And that’s just perfect — if you’re the kind of lovable idiot he portrays. But if you’re serious about protecting your identity and digital life from all kinds of hacking miscreants, it’s not very good advice.

A hacker’s favorite word is “password” because in spite of all the sophisticated malware tools and tricks available to most hackers, most have to do little more than try a few of the most common and predictable passwords people use to get in.

And while you’ve probably heard for years that a reasonably complex eight-character password is more than enough to frustrate intruders, forget that advice too. It’s now widely accepted that hackers can crack a complex eight-character password in the blink of an eye. Literally. About a second is all it takes.

So you can understand how easy it must be for hackers to crack obviously dumb password choices like “password123”, “admin” and “letmein”, right? And yet, these are still some of the most popular passwords in use today.

According to SplashData’s list of the most commonly used passwords, a list gleaned from millions of passwords stolen by hackers, the top 10 most commonly used passwords in 2014 were:

1. 123456
2. password
3. 12345
4. 12345678
5. qwerty
6. 1234567890
7. 1234
8. baseball
9. dragon
10. football

But that’s not the worst news. A recent TeleSign study found that on top of really, really poor password choices, users were also doing pretty poorly at managing those passwords:

• 21% of those surveyed said they have been using the same passwords for more than a decade.
• 47% said they’ve been using passwords that they haven’t changed in five years.
• Not surprising, 73% say they regularly use duplicate passwords for online accounts.
• More than half of those surveyed said they use five or fewer passwords for everything.
• And on average most people say they use just six passwords to guard an average of 24 online accounts.

In a separate study in 2013, more than half of all adults surveyed admited to using exactly the same single password for most of all the websites they have accounts with.

Users now face a real problem. Free password cracking tools—like Cain and Abel, and John the ripper—claim to be able to test more than six million different passwords every second.

And professional hackers can create their own customized password cracking dictionaries that can contain upwards of 60 million of the most common words used in passwords—even those using punctuation and numbers.

To avoid all the pain, as well as all kinds of risks ranging from identity theft to hackers owning your Facebook or email account, here are some of the key things you should and shouldn’t be doing with your passwords:

Do:

• Make all your passwords at least 10 characters long, although 12 is even better.
• Use different passwords for all your important sites and accounts.
• Change your passwords as often as you can. It’s a pain, but also a simple defense.
• Think about using a pass phrase instead of a password. The pass phrase idea is described below.
• Consider using a good password manager. Although it’s always risky storing all your passwords in the same place, it’s better than most other options.

DON’T:

• Use obvious words that can be easily guessed or found in a dictionary.
• Assume that adding a few random numbers to the end of a word will do you any good. It won’t.
• Store passwords in a Word or Excel file on your computer.
• Fall for phishing emails claiming to be from your IT department, bank or Facebook asking you to confirm your password.
• Forget about malware. Today’s malware can easily infect your computer or phone and grab your passwords.

So what is this pass phrase thingy of which we spoke? A pass phrase is a line or statement about you that’s easy for you to remember but almost impossible for a hacker to crack or guess.

Take the simple phrase “I got married in Hellhole Palms, California on August 25^th 1990.”

Now take the first letter and all the numbers and put them together to make a password: IgmiHPCoA25th1990. That’s a massive 17-character password that’s got upper case, lower case and numbers, and should be easy for you to remember but almost impossible for a hacker to guess.

You can even write it down, maybe in something like a diary. What are the chances that a hacker will break into your home, stumble across that statement, and realize it’s the secret code generator for a password?

And yes, Hellhole Palms is a real place.