The Mac Security Blog

Security & Privacy

4 Types of Passwords You Shouldn’t Create (Unless You Want Your Account Hacked)

Posted on by

The passwords you use to secure online accounts are essential, and if you use simple passwords, cybercriminals can guess them and access your accounts. They can steal your identity, access your email, and empty your bank account. Large data breaches are common, and the credentials of billions of accounts are easily accessible. (Want to check yours? Got to haveibeenpwned and enter your email or phone number, to see if they show up in known data breaches.)

So what can you do when faced with all of these breaches? There are two concerns. The first is that your account on one of these sites may be compromised. You can generally resolve that problem by changing your password for the affected sites as soon as a breach is announced.

The second problem is more serious. If you use the same user name and password on multiple sites, breaches like this could give cyber-criminals the keys to access much of your data. Since they can use “brute-force” methods to attempt to log into many websites and services, they can try millions of user name / password combinations to find the ones that work.

Here are some tips on how not to create secure passwords. (Don’t worry, I’ll link to another article detailing how to create secure passwords to protect your user accounts, but for now enjoy this Password Selection Hall of Shame.)

Password Fail #1: Use a Simple Password

One thing that password breaches in the past have shown us is that the most widely used passwords are the dumbest. Here are some of the most common passwords:

  1. 123456
  2. password1
  3. 123456789
  4. password
  5. iloveyou
  6. qwerty
  7. 1q2w3e
  8. qwertyuiop
  9. 12345678
  10. abc123

This Wikipedia page has several lists of commonly used passwords; I hope yours isn’t there!

It turns out that you have a good chance of getting into many peoples’ accounts – and computers – by just typing “123456.” Or even “password.” Or just the six letters on the top row of a keyboard, “qwerty.” Use something uncommon and you’ve reached first base.

Password Fail #2: Use a Password That’s Easy to Guess

Let’s say you have a son named Chauncey. When you’re asked for a password that has to be at least 8 characters long, you figure it’s a good idea to use his name. But anyone who can view your Facebook page will see a picture with him, with a comment such as, “Here’s Chauncey on the beach.” That is a pretty obvious clue; many people use the names of their children, their pets, or their favorite sports team as a password. And these are easy enough to find as we publish more and more of our private lives in public forums.

You might think that adding a digit at the end could make the password more secure; so you use “chauncey1,” that’s not hard to figure out either.

Skip this idea, and you get to second base.

Password Fail #3: Use the Date of Your Wedding (or Birthday, or Child’s Birthday…)

So you got married on 6/23/2004. Since many sites require that you use at least eight characters for a password, you can change this to 06232004; that’s certainly a password you’ll never forget. That would be a good password, right? Not really. First, it’s pretty easy to find; there are all sorts of databases containing that kind of information. Second, plenty of friends and co-workers know the date of your anniversary. Pictures on your Facebook page, details on your personal blog, or tweets like, “Happy anniversary to my sweetheart” are all giveaways. The same goes for your birthday, your child’s birthday, your spouse’s birthday, and so on.

If you don’t use well-known or easy-to-guess dates as your password, congratulations, you’ve just advanced to third base.

Password Fail #4: Use the Same Password on Many Web Sites

It’s a lot easier to remember one password than dozens of different ones, right? So you come up with one really good password and you use it everywhere: Facebook, Twitter, Amazon, eBay, PayPal… What if you’ve used it on websites that have been breached? This is the main reason why cyber-criminals want to harvest passwords. If they get a user name and password and then find that it works on other web sites, they can usurp your identity, and perhaps even liquidate your assets. They can even buy things using your credit card – which is stored on, say, Amazon – and have them shipped to their addresses.

If you avoid these four password failures, you’re well on your way to hitting a secure password home run.

In another article, I’ll tell you how you can easily create secure passwords to protect your accounts and better safeguard your personal information.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →