The passwords you use to secure online accounts are essential, and if you use simple passwords, cybercriminals can guess them and access your accounts. They can steal your identity, access your email, and empty your bank account. Large data breaches are common, and the credentials of billions of accounts are easily accessible. (Want to check yours? Got to haveibeenpwned and enter your email or phone number, to see if they show up in known data breaches.)
So what can you do when faced with all of these breaches? There are two concerns. The first is that your account on one of these sites may be compromised. You can generally resolve that problem by changing your password for the affected sites as soon as a breach is announced.
The second problem is more serious. If you use the same user name and password on multiple sites, breaches like this could give cyber-criminals the keys to access much of your data. Since they can use “brute-force” methods to attempt to log into many websites and services, they can try millions of user name / password combinations to find the ones that work.
Here are some tips on how not to create secure passwords. (Don’t worry, I’ll link to another article detailing how to create secure passwords to protect your user accounts, but for now enjoy this Password Selection Hall of Shame.)
Password Fail #1: Use a Simple Password
One thing that password breaches in the past have shown us is that the most widely used passwords are the dumbest. Here are some of the most common passwords:
This Wikipedia page has several lists of commonly used passwords; I hope yours isn’t there!
It turns out that you have a good chance of getting into many peoples’ accounts – and computers – by just typing “123456.” Or even “password.” Or just the six letters on the top row of a keyboard, “qwerty.” Use something uncommon and you’ve reached first base.
Password Fail #2: Use a Password That’s Easy to Guess
Let’s say you have a son named Chauncey. When you’re asked for a password that has to be at least 8 characters long, you figure it’s a good idea to use his name. But anyone who can view your Facebook page will see a picture with him, with a comment such as, “Here’s Chauncey on the beach.” That is a pretty obvious clue; many people use the names of their children, their pets, or their favorite sports team as a password. And these are easy enough to find as we publish more and more of our private lives in public forums.
You might think that adding a digit at the end could make the password more secure; so you use “chauncey1,” that’s not hard to figure out either.
Skip this idea, and you get to second base.
Password Fail #3: Use the Date of Your Wedding (or Birthday, or Child’s Birthday…)
So you got married on 6/23/2004. Since many sites require that you use at least eight characters for a password, you can change this to 06232004; that’s certainly a password you’ll never forget. That would be a good password, right? Not really. First, it’s pretty easy to find; there are all sorts of databases containing that kind of information. Second, plenty of friends and co-workers know the date of your anniversary. Pictures on your Facebook page, details on your personal blog, or tweets like, “Happy anniversary to my sweetheart” are all giveaways. The same goes for your birthday, your child’s birthday, your spouse’s birthday, and so on.
If you don’t use well-known or easy-to-guess dates as your password, congratulations, you’ve just advanced to third base.
Password Fail #4: Use the Same Password on Many Web Sites
It’s a lot easier to remember one password than dozens of different ones, right? So you come up with one really good password and you use it everywhere: Facebook, Twitter, Amazon, eBay, PayPal… What if you’ve used it on websites that have been breached? This is the main reason why cyber-criminals want to harvest passwords. If they get a user name and password and then find that it works on other web sites, they can usurp your identity, and perhaps even liquidate your assets. They can even buy things using your credit card – which is stored on, say, Amazon – and have them shipped to their addresses.
If you avoid these four password failures, you’re well on your way to hitting a secure password home run.
In another article, I’ll tell you how you can easily create secure passwords to protect your accounts and better safeguard your personal information.