Login Screen

We’re still using terrible passwords

Every year about this time, the good folks at Nordpass publish the Top 200 Most Common Passwords. This list provides endless fodder for tech journalists (and bloggers) to question why the same awful passwords keep showing up year after year. And by awful we mean so easy to guess or quick to crack that there might as well be no password at all. Once again, the current top 10 list is:

  1. 123456
  2. 123456789
  3. 12345
  4. qwerty
  5. password
  6. 12345678
  7. 111111
  8. 123123
  9. 1234567890
  10. 1234567

The list of passwords was compiled by independent cybersecurity researchers and comprises 4TB of data from over 50 countries. All of the passwords in the top 10 required less than 1 second to crack using widely available software tools.

How did we get here?

Interestingly, a person’s comfort level with technology doesn’t necessarily result in good password practices. As Emily Cain notes in her article, Why don’t we follow password security best practices?

For a lot of people, following password security best practices is like flossing our teeth. We know what we should do, and on the occasions the topic comes up we feel anxious and guilty, but most of the time we simply don’t think about it. There are a number of issues that prevent people from following best practices, including poor usability of individual sites’ login interfaces, contradictory advice from experts, habits left over from pre-digital systems, and the overwhelming vastness of our modern digital lives.

By now, most people know the elements of a password that’s hard to guess or crack: long length (> 12 characters), avoid dictionary words, combine letters, numbers and symbols, etc. Combined with the additional rule that passwords should never be reused or written down, it quickly becomes impossible for most people to remember all of the passwords that they need to use regularly.

[Side rant: Why are banks (of all places) still asking us to enter our mother’s maiden name, father’s first employer and all manner of easily guessed “security questions”, while at the same time not implementing much more secure multi-factor authentication? Anyone?]

It’s not surprising that, given advice that’s both contradictory and impossible to follow, most people just keep doing what they’ve been doing. To quote the Twitter account @SwiftOnSecurity“If you don’t make a system usable and secure, the user will make it usable and insecure.”

The best thing you can do today

Spare your brain from the stress of remembering multiple passwords and just use password manager software on all of your devices. Yes, you’ll have to create one strong password that you can remember (the master password) but once you’ve done the work of setting the program up (and replacing all of those less-than-great passwords on your current accounts), a good password manager will save you loads of time and effort. Again, Emily Cain:

For me, setting up a personal password manager fell into the category of things I knew I “should” do. I’d remember it whenever I read about a password breach in the news, then I’d shove it back into the guilt-tinged procrastination pile. Why hadn’t I done it yet? Would it be difficult? Would it be able to fully replace the clunky system I’d become accustomed to over the years?

…It took some time, but the peace of mind I get from knowing that I now carry my passwords in my pocket—and that they’re harder to crack—is worth it.

To learn more about the current crop of password managers, check out these reports from Tom’s Guide and Wirecutter. Spoiler: they both recommend BitWarden as the best free manager and LastPass and 1Password respectively as paid managers. I’ve been a LastPass user for many years and while the free version is no longer recommended (too many disabled features), there is a family plan that is very reasonably priced for up to 6 accounts. Password managers for everyone!

The holidays are coming up and you need something to do with your free time, right?

Leave a Reply

Your email address will not be published. Required fields are marked *