In light of the list of the worst passwords of 2015 that emerged earlier this week, it occurred to me that maybe we could all use a few lessons on what makes a good or bad password in the first place. In that spirit, let’s take a look at a few password mistakes we’re probably making, shall we? While there’s unfortunately not a lot you can do to protect yourself against code-cracking software (or, y'know, the threat of SKYNET), never underestimate the number of people who might just sit there, guessing, until they manage to figure out what your password is. Avoiding these mistakes will go a long way towards keeping the guessers at bay.
So why do we create so many bad passwords, anyway? The big problem is that most of us aren’t great at remembering random strings of information, so in order to help jog our memories, we tend to pick things that are meaningful to us in some way — numbers might be a birthday or an old address, words might be names of pets or childhood friends, and so on. We also like patterns, hence the penchant for choosing a fairly obvious word and hoping that replacing a few of the letters with numbers (4 for A and 0 for O, for example) will up the security factor enough to get by. The trouble is, though, that if something is easy to remember, it’s also easy to guess — even if the spelling is slightly unconventional.
Additionally, in an era of social media, easily accessible online records, and massive digital footprints, a lot of the information we tend to use in our passwords — things like the aforementioned pet names or birthdays — is very, very easy to get a hold of. It doesn’t even require a whole lot of digging to find. Not to, y’know, freak you out or anything… but living in the Age of Information comes with a price.
Your best bet is to come up with a string of letters, numbers, and special characters that truly is random, and then either get really good at memorizing things (maybe this Memory Palace technique will help?), or write it down and store it somewhere no one will ever find it. You might also try a password vault. Memorization is the safest route, though; as far as I know, the average human hasn’t figured out how to hack someone’s brain from afar yet, so whatever you lock up in your noggin is likely going to stay there, safe and sound.
For the curious, here’s what makes a good password; keep reading for the mistakes you’re probably making that result in terrible, awful, no good, very bad passwords. Godspeed, my friends. May your browsing be full of secrets.
1. You’re Using “Password”
Or “passw0rd,” or “p4ssw0rd,” or some other variation on the word itself. You might think that it’s one of those “so obvious it comes right back round to being not obvious” kinds of choices… but it’s not. It’s just obvious.
2. You’re Basing Your Password on an Obvious Arrangement of Keys
This is why passwords like “1234567890,” “qwertyuiop,” and “1qaz2wsx” won’t keep you safe — they’re composed of characters that are lined up in order on the keyboard. Sure, they might be easy to remember, but they’re also easy to guess. All anyone has to do is look down at the keyboard to figure it out.
3. You’re Using the Same Password Over and Over Again
If your Facebook password is the same as your Gmail password, which is the same as your online banking password, and someone figures out what it is? Well… you can see where the problem might lie. Don’t put your proverbial eggs all in the same basket; use different passwords for different sites.
4. You’re Using All Letters or All Numbers
When you create a login pretty much anywhere these days, you’re usually required to have a mix of letters, numbers, and special characters — but even if you create a login on a site that doesn’t have that requirement, it’s still good practice to follow it. The more characters you have to choose from, the greater number of possible combinations there are, which means it’ll also be a lot harder for someone to guess what you’re using.
5. Your Password Is Too Short
For the same reason you should be using a mix of letters, numbers, and special characters: More characters means more combinations, which means greater security. 12 characters is a good number to shoot for.
6. You’re Using a Hip Pop Culture Reference
This year, that pop culture reference appears to be Star Wars, judging by the fact that both “starwars” and “solo” (as in Han) made the list of bad passwords never, ever to use. If something is topical, it’s easy to guess. Sorry.
7. You’re Not Changing the Factory Default
Even if that new router you just set up came with a hilariously apropos password — something like “dancingspiders5938” — change it from the default immediately. According to the United States Computer Emergency Readiness Team (emphasis mine):
Factor default software configurations for embedded systems, devices, and appliances often include simple, publicly documented passwords. These systems usually do not provide a full operating system interface for user management, and the default passwords are typically identical (shared) among all systems from a vendor or within product lines.
These passwords are meant to be used for testing and installation only, because they’re incredibly easy to find. US-CERT notes that documentation for devices is often available online, and they often include passwords.
Seriously, everyone. Take the five seconds it takes to change your password from the factory default. Just do it.