A University of Michigan-Dearborn professor has a theory about why so many computer passwords are so bad.
“Humans,” explains Hafiz Malik, “generally are lazy people.”
Well, yes. And they apparently didn’t bother to read the stories when the 2013 list of most common passwords came out, because the 2014 list compiled by a password management service called SlashData looks dismayingly similar.
The winners, if that’s the right word, came from an examination of 3.3 million passwords leaked online last year. (It’s harder to examine the passwords that weren’t leaked, because ... well, they weren’t leaked.)
We present them here as a public service, and because they’re easy to make fun of. We’ll also offer a few tips from experts on how to create better ones, although it shouldn’t take Bill Gates to realize that “123456” is a bad idea.
That was No. 1 on the list, followed by “password,” “12345,” “12345678” and “qwerty.”
“An easy password is like no password,” says Malik, an associate professor of electrical and computer engineering.
Furthermore, using the same password for every account is like having a bad password, even if it’s a good password. And using the “Remember My Password” option is almost like writing your password on a Post-it note and taping it beneath your keyboard, which is the surest way to drive your company’s IT technicians to hard liquor.
In a world where some incredibly smart people are devoting all their waking hours to hacking into your Amazon Prime account, the best way to stay safe is to lock yourself in a room with nothing more high-tech than a hot plate and a Kegerator.
Failing that, Malik recommends a combination of upper- and lower-case letters, numbers, and special characters like #%@! — the ones that look like a comic strip character is cursing, perhaps at a co-worker who used “qwerty” as a password.
Some are too easy
The problem with proper passwords, concedes Carl Powell, is that they are much harder to remember than your dog’s name or your anniversary — though if you used your anniversary as your password, at least you’d remember it.
As chief information officer at Eastern Michigan University, Powell’s domain includes 4,000 computers and more than 30,000 people logging into the campus system.
Any horizontal sequence on your keyboard is a bad idea, he says. According to a highly entertaining website in use at EMU — more about that later — a standard desktop PC will crack “12345” instantly.
The more clever “67890” takes longer: approximately 0.000025 seconds.
In the absence of a computer program, what Powell refers to as “social engineering” can also turn your password into an anybody-can-pass word.
If you’re pictured on Facebook in a Detroit Tigers cap, don’t use “tigersfan.” Consider how much information is readily available about most of us: home state, hobbies, the names of family members.
“Now,” he says, “you’ve got about two dozen possibilities for passwords.”
Take the vowels out
Fortunately, there are ways to simplify what seems complicated.
Try a favorite saying, like “livelovelaugh,” or your kids’ middle names. To you it’s poetry, but to a computer program, it’s just a string of letters.
To foil humans who know you like that saying, take the vowels out and add your mom’s birthday: “lvlvlgh050859.” It’s long and obscure, but you’ll remember it.
Use a different person’s birthday as the set of numbers every time you need a password, and you can even stick a cheat sheet in your wallet. “Bank Wife” and “AmEx Son” won’t mean anything to anybody else, but they’ll tell you all you need.
Length is increasingly valuable, Malik says, and Powell has a website to prove it. At howsecureismypassword.net, you get instant feedback as you tap the keys.
“Jones,” it says, will be solved instantly by a program on a PC. “Jones56” takes 14 minutes, while “Jones567” takes 15 hours.
Interrupt the letters, and things get better quickly. Let’s say you were born in December. “Jo1212nes” gets you 39 days. Now add a third 12, but hit the capital letters key for the middle one — “Jo12!@12nes” — and you’re good for 4 million years.
Malik is still correct: we’re lazy people. But we can be devious, too, with just a few more keystrokes.
Pass on these
According to the password management service SplashData, these were the most common of the 3.3 million passwords leaked online in 2014: