The untold truth about passwords – is your password one of the most commonly used ones?

We use passwords in numerous aspects of everyday life. Having a secure passphrase with which to access your personal data is of extreme importance when browsing online, managing financial transactions or even unlocking your cell phone.

In banking, 6 digit PIN codes are seldom used around the world, even though a 6 digit PIN has a whopping 1 million possible combinations whereas a 4 digit PIN only has 10,000 possible combinations. The reason only a few countries have adopted the 6 digit PIN policy is due to the recurrent challenge of forgetting one’s password. In the same line of thought, are the online passwords short, to be more certain the recall it, yet weak. In order to overcome the remembering passwords difficulty, the tendency is to create overly simple passwords with hardly any characters, often including common words, and worse writing them on a piece of paper.

The most commonly used passwords online contain people’s pets’ names, car model or even the word “password”. Logical number combinations, such as 12345, 246810, 654321, are also extremely popular, yet unreliable and easy to breach. Favorite movie or a book title, names of countries or colors are frequent variations as well. Surprisingly, the term “passphrase” has never really caught on, yet if the user would start to think of their passwords as passphrases, the issue of weak passwords could easily be resolved.

A strong password should be long and avoid commonly used words, such as StarWars (which is actually the most commonly used password in 2017) or dictionary words. Moreover, as security breaches are heavily widespread, it’s important that you regularly change your passwords and don’t reuse previous ones, which may have become unreliable.

“CharlieChaplinesMakesMeLaught” is a far stronger password than “Oq!5$2é”, even though it only contains letters. It is a lot harder to guess than “Password1”, however, is still easy to remember for the user. It is easier to type it correctly, compared to “Zq!5$7é”, and takes a few seconds more than standard eight-character password but it is more secure. Long passphrases should be a best practice for both administrators and users. Length is one of the few effective controls left when it comes to making passwords more robust, and thinking of a password as a passphrase opens up the possibilities of length and memorability without undue complexity.

In practice, using mixed case, numbers and special characters makes the password much stronger than just using letters. The next level of a strong password security is to spell out a phrase phonetically: “Imuboe” (instead of ”I’m a boy”) or the first letters of a memorable phrase such as “mlksqisf” = “Martin Luther King s’ quote is super famous”. Be aware to use at least 8 characters, as this will enhance your password’s strength. Once more step would be to include numbers and special characters, therefore your passphrases could look like that “I@Ma*&0?it”: I am a star and nobody questions it.

Even if these are often personal practices, they have a direct implication for the data security policies of organizations. In the office, especially with the new GDPR policies affecting all online privacy policies, it is crucial to train employees about online safety habits and have proactive defense practices. Educating them about risks and possible implications is a much more effective strategy than blindly trusting your IT security staff that they will fix it once the damage is done. If your employees understand the importance of your data, and the reason why it needs to be protected, they will understand the importance of using a strong passphrase and changing it regularly. This has a mutual benefit for the company itself and the safety of customer data. To illustrate the importance of keeping safe passwords for personal and organizational purpose, we finish with a humble quote: ”Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.” – Clifford Stoll.

Sources: CSOOnline, Symantec, ComputerWeekly