Your passwords aren’t just hanging about on a server waiting to be stolen—there’s a whole process that goes on behind the scenes to keep them safe. Just make sure they aren’t common—or they’ll take mere seconds to crack.
How Passwords Work
The website or service you’re using doesn’t just memorize your password and let you access the account. This would be a big security risk. All a hacker would have to do is compromise the security of the server, and they’ll gain access to your credentials. So, what really happens when you create a password?
The process involves something called password hashing. Password hashing converts your password into a short string of letters and or numbers using a hashing algorithm. This is called a hash, and it is generally unique. The website saves this hash, and next time you enter your password, it compares it against this hash to see if it matches.
If the password is strong enough, the hash can’t usually be cracked, since the more secure a password is, the more difficult it is to crack. This is especially true when stronger algorithms are used (such as Argon2 or Bcrypt).
Some Passwords Take Less Than a Second to Crack
Passwords like “123456,” “Password1,” and “qwerty” aren’t just common worldwide, they’re ridiculously easy to crack, taking less than a second to unscramble. There are passwords that may seem unique, but surprisingly still take just seconds to crack. Though this duration can vary depending on the technical skills of the hacker.
There are cracking tools (brute force tools usually) that can allow a hacker with very little technical skill to brute force their way into a login. These tools work by automatically trying different potential password combinations until the right one is found—this means that even a newbie hacker could crack your password if it’s weak.
How Is This Relevant to Common Passwords?
One common brute force attack is the dictionary attack, which is when a hacker uses a list of common passwords to gain entry to an account. Some brute force tools use a hybrid approach, where they try a variation of common passwords along with different character additions, such as special characters and numbers. This is all automated. Of course, no hacker is sitting there trying to log in to an account by typing in common passwords one by one.
Common Passwords You Should Never Use
So, besides the obvious common passwords that stand out, either due to keyboard patterns (like “qwerty” or “asdfgh”) or number combinations (such as “123456” or “111111”), tons of others were identified by the password security company, NordPass, as being common worldwide. Some of these include:
Sports-Related Passwords
Did you know that “football” and “baseball” are two of the most common passwords, with the former ranking 50th and the latter ranking 64th in the most common list? “Soccer” also made it to the list, with over 42,000 users worldwide having picked it as a password. Other sports-related passwords that made it on the list include “basketball” as well. Many of these take seconds to crack.
If you’re a sports fan, you may want to avoid these common passwords. Even variations like “football123456” are just as insecure due to how brute force tools work.
Common Nicknames
Turns out, “princess” and “sunshine” aren’t just cute nicknames—they’re also hacker favorites, cracked faster than you can make your coffee in the morning. Both “princess” and “sunshine” take less than a second to crack and were used more than 54,000 times, and both ranked as the 52nd and 57th common passwords used worldwide, respectively.
Fictional Characters
Even your favorite nostalgic TV shows aren’t safe; in fact, “Pokémon” has been used more than 50,000 times. “Superman” made it to this list, with both passwords taking less than a second to crack.
Batman actually came 183rd on the most common list, with over 24,000 people using it as a password. Does this finally settle the age-old debate of Superman vs. Batman?
Other popular passwords that made it to the list include Star Wars, which has been ranked 112th, and more than 34,427 people have it as their password. Unfortunately, all these passwords take less than a second to crack.
Names
Most names aren’t unique, and hackers know this. Names have been built into lists in dictionary attacks since they’re predictable, making it easy for hackers to crack the password.
Some of these names include “michael,” “daniel,” “jessica,” “jordan,” “ashley,” “jennifer,” “thomas,” “anthony.” “andrew, “nicole,” “jonathan,” “justin,” samantha,” which all take mere seconds to crack.
If your name is on the list, congratulations, you just made it to the 70th rank of the most common passwords used online. You should also probably change your passwords—adding capitalization or extra characters won’t help much in this case.
Random Words
Words like “cheese,” “shadow,” and “unknown” actually made it on the most common list, with the latter two taking seconds to crack. I’m surprised “shadow” would be a choice of password for over 42,000 people!
Interestingly, the password “unknown” can take a bit longer to crack—about 17 minutes. Though this isn’t a long time and not strong enough to be a secure password, there’s a reason why it takes slightly longer for this password to be cracked. One of the reasons is that dictionary or wordlist attacks usually prioritize high-probability words.
“Unknown” seems random enough, but usually isn’t a go-to word unless paired with variations like “unknown123″, and may take longer to crack only because it appears later in the cracking priority order (so it’s not actually stronger), plus cracking speed can also depend on the hash algorithm and computational speed as well.
Technology-Related Words
Words like “computer,” “letmein,” “changeme,” “samsung,” and “internet” were seen on the most common list, which all take less than a second to crack. It’s best to avoid common and predictable words related to technology.
The password “admin” also showed up high on the list, which was no surprise. Many devices and systems usually come with a default login, with “admin” being the username and password. It seems that it’s the 94th most common password, with 40,324 people using it as their password. They may have either not changed the default password or decided to stick to “admin” because of convenience.
In either case, this is not a safe password and can take less than a second to crack. This is also the same case for the password “master,” which came 106th as the most common password, with over 36,000 people opting for it as their password. Like “admin,” it also takes less than a second to crack.
How to Pick a Secure Password
Now that we’ve seen what passwords not to pick, how do we choose a password that is secure, unique, and doesn’t take mere minutes to crack?
I recommend picking a password that has 12 characters minimum; the longer, the better. You should include as many types of numbers, special characters, and upper and lower case letters as you can. This mix can make the password harder to crack.
You should avoid common names and words you can find in a dictionary, as well as combinations of those. Using common substitutions isn’t a smart move either, for example, replacing the “O” with “0” in the password and adding a predictable number pattern such as “computer” to be “c0mputer123” doesn’t make it any more secure.
The Risk of Using the Same Password for Everything
According to KnowBe4, passwords are reused 64% of the time, and the number of passwords to remember reaches over 100.
Using the same password for different accounts is discouraged. If one account is compromised, either through a data breach (which is not uncommon these days) or from unauthorized access to your account, a hacker can try to use that password to gain access to other accounts.
If a company’s server gets compromised, hackers can get access to the hashes that they can try and “crack.” One way they do this is by guessing common passwords, hashing them with the same algorithm, and seeing if there’s a match.
Consider using multi-factor authentication (MFA) on all your accounts. This gives you an additional layer of security in case your password is ever compromised.
Lucas Gouveia / How-To Geek
How to Remember Your Password
You can create the most complex password with a lot of characters, special symbols, and numbers, but what’s the point if you can’t remember it? Writing down your password may seem convenient, but this still has the risk of old-fashioned theft. Remembering passwords doesn’t have to be a pain.
You can opt in to using a password manager that saves your passwords for you, but there is another solution. You can use a memorable pattern or passphrase to generate a password unique to you that is both strong and easy to remember.
For example, say: “I went to Richfield High School, graduated in the year 2000, and bought a car in that year for $4000.”
You can turn that sentence into a password by using the first digits of each word, so your password in this case will become: “Iwtrhs,gity2000,&bac4$4000.” This password could take 13 million trillion years to crack!
This estimate is according to PasswordMonster, a tool that can measure the time it takes to crack your password. Though these tools are still estimates and assume specific attack methods, you can use them as a rough guide to see if your password is secure enough.
Using unique passwords for every service, avoiding common scams, and making sure to use multifactor authentication can take you far in the world of online security. But it’s not the end, so it’s important you stay sharp and informed.
