Despite years of advice urging us to beef up the strengths of our passwords, it seems not many of us are actually taking note.
Web hosts WP Engine got their hands on a database of ten million leaked passwords that had been compiled by security consultant Mark Burnett. Their analysis showed that 0.6 per cent of the passwords were simply “123456”…
The most common passwords included “password” and “qwerty” and the ten most popular alone accounted for sixteen out of every one thousand passwords; 8.4 per cent ended with a number between zero and ninety-nine and more than twenty per cent of the time that number was “one”.
WP Engine also found that we humans are suckers for patterns. Whilst “1qaz2wsx” may look like an impressively rigorous password, it becomes less so when you realize that it was created with adjacent keys.
Creating passwords in this way is known as a “keyboard walk”, and hackers running such combinations could crack it pretty easily.
“Adgjmptw” featured in the top twenty keyboard walks, but is the only one that is not a walk across a QWERTY keyboard. Can you figure out what it is (answer at the end)?
However, if those are all examples of bad passwords, just what makes a good one? Especially when you factor in the need to be able to remember it. In a 2011 study, Saranga Komanduri and colleagues at Carnegie Mellon University sought out the answer.
Participants created a total of twelve thousand passwords based on a variety of construction rules, including “comprehensive8”, in which passwords had to be at least eight characters long, contain upper and lower case letters, a number, a symbol and not contain a dictionary word. For example, “Tgfq1&Ha”.
If you are thinking those rules are complicated, then you’d be right. The researchers found that only eighteen per cent of participants could create a suitable comprehensive8 password on their first attempt. In fact, twenty-five per cent of people gave up before they successfully created a working password.
Of course, such efforts would be rewarded if they led to a greater level of security. So, Komanduri put comprehensive8 up against other passwords.
8.4% OF PASSWORDS END WITH A NUMBER BETWEEN 0 AND 99.
THE 50 MOST USED PASSWORDS
The researchers then subjected these passwords to two different forms of hack. The hardest to crack? Basic16. Even after ten billion guesses, these passwords were only hacked twelve per cent of the time. That compares to twenty-two percent for comprehensive8 and sixty per cent for basic8.
So, not only is the requirement for uppercase/lowercase, numbers and symbols more frustrating for the user, it seems it doesn’t offer as much protection as a string of sixteen lowercase letters. So, Tgfq1&Ha isn’t as a good as four random words strung together to make sixteen letters, for example redpiggolfcheese.
Concocting a story around the words will help you remember it – a red pig hitting a lump of cheese with a golf club is a pretty hard image to shake!
ANSWER: Adgjmptw is a keyboard walk on a phone’s number pad, created by pressing each of the numbers 2–9 in order.
THE PASSWORD IS DYING
Our advice is all well and good, but we’re afraid it does come with an expiry date. That’s because it is very likely our children, and our children’s children, will laugh relentlessly at us for the fact we ever had to type in some arbitrary string of letters and numbers in order to gain access to our most precious information.
We’re already seeing the beginnings of such a revolution. In 2016, Facebook announced their Account Kit initiative at an industry conference. Rather than signing in using a password, you input your phone number instead. A confirmation code is then sent to your phone and that’s what gets you in.
PASSWORDS CREATED USING BASIC16 ARE THE HARDEST TO CRACK.
Smartphone banking apps are beginning to let you into your account by recognizing your fingerprint through a pad on your device. Major banks are also busy developing technology that goes a step further by authenticating your identity simply by the way you hold and use your phone. Face and iris recognition technology isn’t that far over the horizon either.
It is no surprise, because people hate passwords. Surveys suggest that seven in ten people have to hit the “forgot my password” button twice a month. If our technology can know it is us without the inconvenience of having to provide explicit credentials, then we might one day look back on passwords with the same kind of nostalgia as the 8-bit characters.