5 Ways to Choose a Strong Password to Secure Your Account

password cybersecurity

Recent research shows that people are still using easy-to-hack passwords to protect their online accounts. Discover what the researchers found and what people need to keep in mind when creating passwords.

World Password Day falls on the first Thursday of May. Observed since 2013, it is designed to get people thinking about their password habits. This is needed because research shows numerous people are still using easy-to-crack passwords. For instance, after analyzing more than 15.2 million passwords, the Cybernews investigation team found that the four most commonly used passwords were “123456”, “123456789”, “qwerty”, and “password”.

Researchers from SpyCloud encountered similar results when they analyzed more than 1.7 billion credential pairs (passwords and email addresses/usernames). They found the four most commonly used passwords were “pass”, “123456”, “password”, and “123456789”.

Besides using easily hackable passwords, people continue to reuse passwords. In a 2022 survey conducted by Bitwarden, 84% of the respondents admitted to using the same password for multiple accounts.

These findings allude to the need to remind people about what they should and shouldn’t do when picking passwords. Toward that end, here are five things to keep in mind when creating passwords:

  1. Don’t Use Sequential or Repeating Characters

Passwords that contain sequential or repeating characters (e.g., “123456”, “aaaaaa”, “abc123”) are commonly used — and commonly hacked. For example, the password “123456” appears 37,359,195 times in the Pwned Passwords list of compromised passwords. Thus, it is important to avoid using sequential or repeating characters as passwords.

Similarly, it is important to not use sequential keyboard patterns such as “qwerty”, “qwerty123”, and “1q2w3e4r”. Cybercriminals know that people like to use sequential keyboard patterns as passwords, so they program their automated password-cracking tools (i.e., tools used for brute force and dictionary attacks) to check for them.

  1. Don’t Use Easy-to-Glean Passwords

To make passwords easy to remember, many people pick passwords that are meaningful to them. For instance, they often use passwords that incorporate personal information, such as a pet’s name, child’s birthday, their favorite movie character, or a local sports team.

Many people also create passwords based on pop culture (e.g., “Superman”) or current events (e.g., “pandemic”). Using terms associated with the authentication process — such as “password”, “changeme”, “DEFAULT”, and “admin” — is also common.

These types of passwords should not be used because hackers can perform dictionary attacks to crack them. In a dictionary attack, cybercriminals try to break into password-protected hardware or software by systematically entering every word in a list as a password. While the list might contain all the words in a dictionary (hence the name), more often it is a smaller compilation of terms commonly used as passwords. For example, it might include trendy first names, common pet names, chic cities to visit, popular sport teams, and well-known fictional characters. Cybercriminals also include variations of these terms. For instance, the variations might use letter substitution (e.g., substitute the “@” sign for the letter “a”).

If cybercriminals are trying to crack a password as part of a targeted attack (e.g., a business email compromise scam) and a dictionary attack does not reveal it, they might visit social networks like Facebook and search public records to gather personal information about the target. They often can learn a lot about the victim, such as family members’ birthdates, places they frequently visit, and favorite foods.

  1. Make It Long

With automated password-cracking tools, cybercriminals can crack short passwords in short order. For example, passwords consisting of six characters or less can be instantly cracked, no matter the types of characters they contain, according to Hive Systems’ 2022 Password Table.

Longer passwords are cryptographically harder to break than shorter ones. For this reason, security experts recommend creating long ones. There are two schools of thought regarding password length:

Make them long and complex. For many years, security experts have recommended creating long passwords that include mixed-case letters, numbers, and symbols. When passwords include all these elements, the time needed to crack them goes up as password length increases. According to the 2022 Password Table, it takes:

  • 31 seconds to crack a complex 7-character password
  • 39 minutes to crack a complex 8-character password
  • 2 days to crack a complex 9-character password
  • 5 months to crack a complex 10-character password
  • 34 years to crack a complex 11-character password
  • 3,000 years to crack a complex 12-character password
  • 202,000 years to crack a complex 13-character password

So, creating a password that is 12 or more characters long and includes mixed-case letters, numbers, and symbols is best. Even creating a complex 11-character password is pretty safe given that few (if any) cybercriminals would spend 34 years trying to crack one password.

Make them really long. Although long, complex passwords are hard to crack, they are also hard to remember. A viable alternative is to use “memorized secrets”, according to the US National Institute of Standards and Technology. “Memorized secrets” are passwords that are really long yet easy to remember. They are often referred to as passphrases.

When creating passphrases, people do not have to follow any composition rules. They can use all lowercase or all uppercase letters if desired, as long as the passphrases are very long. Similarly, any character can be included, assuming it is allowed by the authentication system. In fact, including spaces or hyphens in appropriate places (e.g., “bonkers-about-Bball”, “let sleepy potbellied puppies lie down”) can make the passphrase easier to enter and harder to hack.

The key to effective passphrases is making them not only long but also easy to remember. According to Kaspersky Labs, the 37-character passphrase “12345-humpty-dumpty-satonthe-firewall” is roughly equal in strength to the 24-character password “?Y]G9gWJ48zYkFBc@{nKw!’q”. Both will take more than 1 million years to crack. However, the former is much easier to remember than the latter.

As the passphrase “12345-humpty-dumpty-satonthe-firewall” shows, using a short numerical sequence in a very long passphrase typically doesn’t affect its overall strength. However, people should avoid using all numbers because it can make shorter passphrases easier to hack. For example, an 18-character passphrase or password that consists of all numbers would take only 3 weeks to hack, according to the Hive Systems’ 2022 Password Table.

People should also avoid creating a passphrase by simply stringing together the names and/or birthdates of relatives or friends. Cybercriminals might be able to obtain this information from social networks or public records.

  1. Don’t Reuse Passwords

People have to remember numerous passwords both at work and at home. As a result, they often use the same password for multiple accounts. Even worse, they sometimes continue to use that password after it has been breached. SpyCloud researchers observed a 64% password reuse rate among users whose data was exposed in two or more data breaches.

Another way people commonly reduce the number of passwords they need to remember is to slightly modify a root password for multiple accounts. For instance, someone might use “apple” as the root word and append a different number to it (e.g., “apple001”, “apple002”, “apple003”) for each account.

Reusing passwords is risky, even if they are slightly different. Hackers know people frequently do this, so they try cracked passwords and variations of them on multiple accounts. For instance, they often launch an automated credential stuffing attack in which distributed botnets try using compromised credentials on high-value websites. This testing is done slowly using many different IP addresses to avoid setting off alerts (e.g., three unsuccessful login attempts) that could expose the attack.

The bottom line is that people need to make sure that each password they are using is unique. They should also make sure that none of their passwords have been breached using a site like Pwned Passwords. If a password has been compromised, it should be changed.

  1. Consider Using a Password Manager

People who need to create numerous passwords might consider getting a password manager that includes a random password generator. That way, they can use the generator to create unique, hard-to-hack passwords for their accounts.

Using a password manager can also eliminate the temptation to write down passwords when there are too many to memorize. With a password manager, users only have to remember one master password to log in to all of their accounts.

We hope you found this article helpful about picking secure passwords. If you ever feel you need more cybersecurity installed for your firm or business, feel free to contact our team of experts by emailing info@wamsinc.com or calling us at (800) 421-7151.

Avatar

WAMS, Inc.

The experts at WAMS, Inc. all have a background in the legal industry and understand the software and the demands that come along with it. That’s why all our clients receive a dedicated account manager and engineer with specific planning that works for your business needs. We didn’t break into the tech world to pinch pennies from clients. We go into every partnership to help their business scale gracefully. Your company growth is our company growth, always.