Are you a QWERTY fan? Maybe sports teams are more your thing—Cowboys42, anyone? If you haven’t guessed yet, these are common password choices—ones that should be eternally banned for a variety of reasons. But the main reason to stop these lightweight password practices is the ever-deepening need for password security. Security groups release their Top 10 Passwords lists every year, and year after year, nothing changes. It’s depressing for security researchers, but if you’re a user, it’s downright dangerous. Many people have no idea how easy it is for someone to crack their passcode. If you’re asking yourself, “Is my password secure?” The answer is, probably not. Password and security issues are constantly fueling identity theft.
How do hackers get your password?
Most identity thieves get your password from a data breach and use it on other platforms where that password has been reused. Australian security guru Troy Hunt runs a website of compromised emails and passwords. As he puts it, “Password reuse is normal. It’s extremely risky, but it’s so common because it’s easy and people aren’t aware of the potential impact.” Basically, reuse is the bane of password security.
How safe is your password
Password repetition is firmly entrenched in America and data breaches are on the rise. You should assume that once someone gets their hands on your stolen passwords, they’ll uses them in what’s known as a credential stuffing attack. These automated log-in attempts try your username/password combo on thousands of websites to see what opens. If you’re using the same password across multiple accounts then a thief can gain access to them all if just a single one becomes compromised. Stuffing is very successful, and its use grows daily. Once a thief gets into one of your accounts, a simple password change completes the account takeover (ATO) and you, the original owner, are locked out.
How secure should a password be?
Hackers can crack a code like QWERTY or password123 in a millisecond, so aim higher. For years, security pros have suggested longer, stronger passwords to slow cracking programs down. That advice is still sound but resistance to 16-character passcodes remains strong, because who can remember a 16-digit code of random numbers and letters? One option is to use a tool to help you keep track of your passwords, like IDShield’s Password Manager.
And then there are people who use “password” as a password. According to haveibeenpwned.com, it’s been found in compromised data batches 3,861,493 times. That’s still far less than the record held by 123456, which pops up 24,230,577 instances in Hunt’s harmful password files. You can bet these are the first words hackers check during ATO attempts. How do hackers get your password? Often, it’s by guessing.
How long would a computer take to guess your password?
Ever wonder how long it would take a computer to guess your password? For most of us, it wouldn’t take long at all. Even adding just a single digit can boost security. Look at sample password Isoar42. That takes around a minute for a computer to break. Isoar42@@ takes far longer—roughly three weeks. Add a third symbol—such as bracket—and it takes 52 years to crack. Now that’s a strong password! There are billions of passcodes floating around the internet. Some are for sale, and others are so stale that they’re worth next to nothing. Hunt’s website stores “real-world passwords” that have been compromised in data breaches. Search his repository of stolen passwords if you’d like to see how yours have held up over time. Then, immediately change any of the combinations you find.
How to answer the question, “How secure is my password?”
The first step is admitting you have a problem. Are you using simple phrases or repeating your password or both? Yes, it’s easier to use one password on hundreds of websites. But the seconds you save using just one doesn’t hold a candle to the hours, days or months you’ll lose trying to fix the damage hackers can do with your login credentials. Better password security starts with a simple password review:
- Check out a list of top 100 passwords and avoid them.
- List all your current codes and run them through haveibeenpwned.com to discover whether they’re already compromised.
- Cross off any words found in a dictionary.
- Don’t use your pet’s name or a nickname.
- Shun any key data from your life, including a parent’s name or first car model.
Run the remaining ideas on your list—versions similar but not identical to your choices are best—through a password cracking program to get an estimate on how long hackers need to decode your top selection. Play around by adding or deleting digits and watch as a one-minute crack time switches to one thousand years with a few added keystrokes. While these online crack services aren’t super accurate, they’ll give you some insight into how dangerous some of your past choices really were. No one should ever have a standard password. Wouldn’t it be fantastic to live in a world in which everyone embraced the need for variety and complexity in password creation? Billions would be saved in costs related to fraud and data misuse. But password security research shows that we’re far from that idyllic world and personally identifiable information (PII) keeps falling into the wrong hands. Until we create that utopia, IDShield 24/7 data monitoring can spot your email addresses when they’re compromised and potentially sold on hacker forums. A timely alert can help you get a jump on changing exposed data and searching for the beginnings of identity theft. An identity theft protection plan with personal monitoring is a must-have for anyone who lives their life online (which, let’s be honest, is pretty much everyone). Think of it as added protection that takes you beyond the security of a brand new 16-digit password.
IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage, and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. This is meant to provide general information and is not intended to provide legal advice, render an opinion, or provide any specific recommendations.