Well, the numbers are in. The winner of this year’s most popular computer password is the incredibly secure and unguessable combination 123456.
I wish I was kidding. I’m not.
Everyone’s favorite six numbers are followed closely by “password,” “qwerty” and “1234678.” Slightly less popular favorites include “baseball” (no. 8) “letmein” (13) and relative newcomer “batman” (24).
Truly a secure bastion against the online legions.
The list paints an uncomfortable picture for many. While Americans do seem to be getting more concerned about cybersecurity, even going so far as to supplant “national security” in online searches, they remain very, very bad at implementing it. Needless to say, it has online security companies in a bit of a panic, especially banking and investment companies, which rely heavily on their members keeping their own accounts secure.
The rise of mobile finance has driven the number of users depending on their online accounts to an all time high, bringing in a flood of risk as new and inexperienced users begin to make accounts, storing their life savings in accounts protected only by a simple 8 character text box. And, even when these firms implement harsher password requirements, such as necessitating combinations of words and numbers, for example, users still inevitably find ways to be idiots.
CEO of SplashData Morgan Slain says “Seeing passwords like ‘adobe123’ and ‘photoshop’ on this list offers a good reminder not to base your password on the name of the website or application you are accessing.” Sports, interests and birthdates are also poor choices, though they tend to be user-specific enough that they don’t make the top ten lists.
Unfortunately, when confronted with requirements for their passwords, even more advanced users tend to follow certain trends that make their combinations easier to guess.
Passwords with substituted words and trailing symbols may seem more airtight than an unmodified version, but the truth is that they remain quite easy for sophisticated hackers to break; p4ssw0rd’ and ba5eba11*** aren’t worth much when confronted with a high-turnover cracker program, which can churn through billions or even hundreds of billions of passwords every second.
Advanced crackers use a branching system known as a Markhov Chain to move from one likely password to another, so starting with a dictionary word (say, peanut) and then corrupting it in a predictable way (Peanut1) may only take a fraction of a second more to guess than the 13245 codes listed above.
What’s even more unfortunate is that these exact sorts of word corruptions are actively encouraged by the sign-in processes of many a website.
Most login portals still recommend the standard combination of 8 characters with caps and symbols, and may even have little bars raising from “poor” to “strong” as the requirements are met, giving users a false sense of safety as they “l33t-ify” their wording.
To counter the onslaught of lousy security practices, many companies have instead recommended the use of “pass- phrases,” combinations of short words with spaces which are relatively easy to remember and can be nearly impossible for a cracker program to guess. But with the common 16-character limit on password length, it can be hard to fit together enough words together to be useful. And even then, only improbable sentences will work: “where art thou romeo” or “call me ishmael” can be referred to in online text databases and will still be susceptible to brute-force methods.
To have a truly secure password, it’s best to have a random combination of words that elicit a memorable story but are not drawn from any real text or reference. According to Web N-Gram Services, the phrase “frog work flat,” perhaps constructed from a memory of hitting a frog on the drive to work, has a web recurrence of 1 in one quintillion odds, pretty good for stopping even a determined hacker.
But then, of course, you have to keep from falling for phishing sites mimicking your bank address. And avoiding sharing your password across all the sites you use. And not inadvertently installing a keylogger with that Chrome extension. And refraining from keeping it written in sharpie on a Post-it note left on your desk.
It’s a tall order. Nobody really wants to spend that much time and effort to thwart hackers. But, your final advantage is that hackers don’t really like spending time and effort, either.
Applied security researcher at Qualcomm Marcus Jakobsson says “If they’re going to spend 200 hours to break into your bank account and they find you have $500, it’s not worth the expense.” As long as you stay away from the “easy mode” pool of passwords, keep them unique for your important personal sites and check the web address before logging into strange YouTube links, you should be set.
Oh, and avoid being a millionaire, a selfie-prone female celebrity or a Sony employee. That’ll help too.
Copeland is a member of
the class of 2015.