Password strength | Bach Seat

Tag Archive for Password strength

RB | June 15, 2024

Comments Off

Why Are We Still Using Bad Passwords

Why Are We Still Using Bad Passwords? 123456 is the worst password of 2023. Users have chosen 123456 on more than 23 million breached accounts, even though it takes less than a second to crack. NordPass, the sponsor of the paper, claims that the popularity of 123456 has made it the #1 cracked password for 3 of the last 5 years. In 2019, 12345 from “Spaceballs” overtook it, and “password” did the same in 2022.

Only 2 of 2023’s top 25 passwords will resist an attacker for more than 10 seconds. The 17th most common password, “admin123”, can withstand cracking attempts for a whole 11 seconds. The most secure password in the top 25, “Pass@123”, can fend off an attack for 5 minutes.

NordPass 25 worst passwords 2019 - 2023
	2019	2020	2021	2022	2023
01	12345	123456	123456	password	123456
02	123456	123456789	123456789	123456	admin
03	123456789	picture1	12345	123456789	12345678
04	test1	password	qwerty	guest	123456789
05	password	12345678	password	qwerty	1234
06	12345678	111111	12345678	12345678	12345
07	zinch	123123	111111	111111	password
08	g_czechout	12345	123123	12345	123
09	adst	1234567890	1234567890	col123456	Aa12345
10	qwerty	senha	1234567	123123	1234567890
11	1234567890	1234567	qwerty123	1234567	1234567
12	1234567	qwerty	000000	1234	123123
13	Aa123456.	abc123	1q2w3e	1234567890	111111
14	iloveyou	Million2	aa12345678	000000	Password
15	1234	000000	abc123	555555	12345678910
16	abc123	1234	password1	666666	000000
17	111111	iloveyou	1234	123321	admin123
18	123123	aaron431	qwertyuiop	654321	1111
19	dubsmash	password1	123321	7777777	'P@ssw0rd
20	test1	qqww1122	password123	123	root
21	princess	123	1q2w3e4r5t	D1lakiss	654321
22	qwertyuiop	ompop	iloveyou	777777	qwerty
23	sunshine	123321	654321	110jp110jp	'Pass@123
24	BvtTest123	654321	666666	1111	112233
25	11111	qwertyuiop	987654321	987654321	102030
Nordpass

How can I keep my passwords safe?

Your password should have at least 12 characters

A longer password with more characters is better. It gives a hacker more combinations to try. Some sites may require a certain number of characters in your password, but generally, a password with at least 12 characters is a safe bet.

Use numbers, symbols, uppercase and lowercase letters

The more variety you have, the better. Be sure to include numbers, symbols, capital, and lowercase letters. Make everything as random as possible to keep the hackers out. For example, a password like ‘S#w%i&n(g967’ would be much more difficult to crack than ‘swing967.’

Avoid dictionary words

Avoid using any single word as a password. It’s too easy for a hacker to take one lucky guess from a common dictionary, like ‘dog’ or ‘banana.’ Even a password like ‘freeride’, which combines two dictionary words, is too simple.

Don’t use substitutions

Avoid replacing letters with common symbols, it can weaken your password. For example, if you want to use the word ‘lucky’ but instead write it as ‘1ucky.’ It’s too obvious because the 1 and the letter L look too similar.

Choose a passkey over a password

Whenever possible, opt for passkeys instead of passwords. Passkeys, which are unique codes tied to your device, offer more security and are less prone to breaches. Companies such as Amazon, Apple, Google, and Microsoft are increasingly supporting passkeys as a safer alternative.

rb-

We should approach NordPass’ findings with caution due to their unclear methodology. They are not very transparent about their methodology. The presser said the passwords were “compiled in partnership with independent researchers specializing in researching cybersecurity incidents. They evaluated a 4.3TB database extracted from various publicly available sources…”

There are some suspicious trends in the Nordpass’s data. English words make up all of the top 25 recognizable passwords. Quite a feat for over 24 billion credentials breached since 2016. Many other are numerical strings or the result of typing nearby keys on a QWERTY keyboard. Despite these issues, the report makes for interesting geek reading.

Related article

90+ Key Password Breach Statistics in 2023 (TechReport)

Ralph Bach has been in IT for a while and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me on Facebook. Email the Bach Seat here.

Category: Uncategorized | Tags: 2024, Hack, NordPass, Password strength, Passwords, Spaceballs

RB | May 24, 2024

Comments Off

Creating Strong Passwords is Good For You

You can buy a small padlock for less than a dollar—but you shouldn’t count on it to protect anything of value. A thief could pick a cheap lock without much effort, or break it. Yet, many people use weak passwords. They use them to “lock up” their most valuable assets, such as money and secrets. Fortunately, everyone can learn how to make and manage stronger passwords. It’s an easy way to strengthen security both at work and at home.

What makes passwords ‘Strong’?

We all hate the dreaded “you must change your password” email from IT. It must be at least 12 characters long. It must include numbers, symbols, and upper- and lowercase letters. You think of a word you can remember, capitalize the first letter, add a digit, and end with an exclamation point. The result: Strawberry1!

Unfortunately, hackers have advanced tools. They can easily defeat passwords based on dictionary words. These are words like “strawberry” and common patterns. An example is capitalizing the first letter.

Increasing the complexity, randomness, and length of a password makes it stronger. These changes make it more resistant to hackers’ tools. You can see in the table below from MyITRisk.com. An attacker could guess an eight-character password in 8 seconds. But, a 12-character password would take four years to guess.

Password space characters	Length required characters	Defeted in.
26 (a-z)	8	.0077 Seconds
52 (a-z, A-Z)	8	2 Seconds
62 (a-z, A-Z, 0-9)	8	8 Seconds
26 (a-z)	12	59 Minutes
52 (a-z, A-Z)	12	168 Days
62 (a-z, A-Z, 0-9)	12	4 Years
26 (a-z)	16	51 Years
52 (a-z, A-Z)	16	91 Years
62 (a-z, A-Z, 0-9)	16	55,988.220 Years
MyITRisk.com

It is also important to pay attention to password complexity. Also you should also pay attention to password unpredictability. You want to avoid common substitutions (e.g., ‘a’ to ‘@’, ‘s’ to ‘$’).

Why Uniqueness Matters

People reuse passwords for many accounts. This risky behavior opens the door for attackers. Even a single password, even a strong one, can lead to access to valuable accounts. Password reuse can lead to a domino effect of account breaches.

44% of passwords are reused on many accounts worldwide. This puts sensitive data at risk.
Hackers compromise 20% of passwords, and users reuse 51% of passwords.
54% of employees use the same password for several work accounts.

Reusing passwords, even strong ones, can leave accounts exposed to attacks.

Here’s a real-life example

Ten years ago, Daisy joined an online gardening forum. She also created an online payment account and used the same password. She soon forgot about the gardening forum. But, someone accessed her payments account years later and stole a lot of money.

Daisy didn’t know someone had hacked the gardening forum. The hackers leaked users’ logins online. An attacker likely tried reusing Daisy’s leaked password on popular sites. Eventually, the attacker got lucky.

Guarding your passwords

Don’t write them down. Many write passwords on post-it notes and leave them in plain sight. Even if you hide your password, someone could still find it. Similarly, don’t store your login information in a file on your computer, even if you encrypt that file.
Don’t share passwords – You can’t be sure someone else will keep your credentials safe. While at work, you may have to take responsibility for anything that occurs when someone is logged in as you.
Don’t save login details in your browser. Some browsers store this info in unsafe ways. Another person could access your accounts if they get your device.

Tips for keeping passwords secure

Consider sharing these password tips with family and friends.

Never reuse passwords – Create a unique, strong password for each account or device. This way, a single hacked account doesn’t endanger other accounts.
Create long, complex passwords. Don’t use passwords based on dictionary words, pets’ names, or personal information. Attackers can guess them.
Use a password manager. These tools can store and manage your passwords. They can also generate strong new passwords. Some can also notify you when a password might be compromised.

rb-

A strong password is the main barrier keeping most of your online accounts from being hacked. Without up to date practices, you might be using passwords that cyber-frauds can easily guess within minutes.

The average user creates passwords to fight data theft. The user could switch up the characters in your passwords and “Tr1Ck” your way into security. However. in today’s environment you need to create passwords that can fight modern password theft methods. Today, cyber-criminals use sophisticated technology to get your passwords. Users must consider the hackers software that is designed to account for user behavior as it guesses your passwords.

Related article

Easily Guessed Passwords for New Accounts Include “User”, “Temp”, “Welcome” (Security Boulevard)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2024, Business, Password, Password management, Password strength, Passwords

RB | November 24, 2011

3 comments

How-secure-is-my-password Tells You

The former DownloadSquad points out howsecureismypassword.net. How secure is my password is basically like a full-screen version of one of those password-strength meters websites sometimes use. But instead of showing you a bar going from “weak” to “strong”, it shows you an estimation of how long your password would take to crack. That’s a much more visceral way to understand why your password is strong.

rb-

How secure is my password helps make password best practices meaningful.

For example, when I entered “Detroit”, it came back with “your password is one of the 1090 most common passwords. It could be cracked almost instantly. “D3troit!” would take 57 days, and “!D3tro1tM!” would take 928 years to crack.

Password best practices include using:

8 or more characters, that is not a dictionary word, which includes capital letters, digits, and a symbol or two.

And the 25 Worst Passwords Are… (toast.net)

Category: Uncategorized | Tags: 2011, apps, Password strength, Passwords, Privacy, Security, Web 2.0

Bach Seat