Worst passwords for 2017 and how to avoid using them

TL;DR: There are common passwords that many people use. They’re all bad, don’t use them. Instead, use a strong, randomly generated password.

Creating and maintaining passwords has become one of the most pervasive and annoying parts of contemporary online life. How many times a day do you log into a secure website or application with a password? How many passwords or password variations do you keep in your head to overcome this problem? How do you keep it all straight? It’s overwhelming.

We all have our own methods for creating passwords that we can remember. And every year, computer security specialists do a roundup of the worst passwords of the previous year. Sometimes the focus is on how common a password is, or sometimes how absurdly easy it would be for a hacker to guess. I sometimes think that people like the lists of bad passwords just so they can feel better that their passwords aren’t on the list and, therefore, feel a bit happier about their own security.

Unfortunately, even if you don’t use a known “bad” password, chances are that your password of choice is still not very secure. There are many ways that our password choices can degrade our online security, but two of the most common practices are using “weak” passwords and re-using the same password (weak or strong) across multiple accounts.

Both of these behaviors stem from the same basic misconception: the idea that you should be able to remember your passwords. I’m here to tell you: don’t even try. The simple truth is “if you can remember the password, it’s not secure enough to use.”  So on that note, rather than give you a list of bad passwords, I’ll focus on these two bad password practices:

Using Weak Passwords

The first “gotcha” I mentioned is using weak passwords. A weak password is one that is easy for a computer to “guess” using automated techniques. Hackers are smart – they don’t sit there typing in password guesses one at a time. They write programs to try thousands of passwords per second when they want to try to hack an account.

Imagine this – you’ve decided that you’re going to be tricky and pick a random word out of a dictionary. You flip open the big book, poke a page and get “justification.” Nice one! No one would ever guess that, right? Wrong. A “dictionary attack” is one of the first things that a hacker will run. This is an attack that relies on a known list of passwords, and tries every word in the dictionary as your password. There are 171,476 words in the 2nd edition Oxford English Dictionary. Remember when I said a computer can try thousands of passwords per second? Even an old computer can run 1000 tries per second with ease. That’s 171 seconds – less than three minutes – to try every word in the dictionary. Just to be sure, they’ll add the other top 10,000-1,000,000 passwords (removing any duplicates – something else a computer is really good at!), and still clock in under an hour.

Password Re-use

You may think that you’re finally over that security hump because you’ve mashed up your childhood address and some symbols into a memorable password – [email protected]! – and now you’ve updated all of your online accounts to use that much more secure password! Until some online service provider gets hacked through no fault of your own, spilling millions of users’ login credentials across the dark recesses of the internet for every nefarious individual with a computer to start digging into. And guess what? Since you probably use one of the top 100 banking institutions in your country, it’s pretty easy for the bad guys to try every single bank with a bunch of variations on your name as the login to try to access your bank. Remember – computers do things automatically, so it’s literally no effort for a hacker to run their program to try to break into your stuff.

Ok, so I imagine now you’re probably thinking something along the lines of “Gee thanks, I can’t use any of my own passwords. What the heck should I be doing instead?” The answer is, stop trying to remember passwords. Instead, use a password generator to create uncrackable passwords for all of your online accounts and some sort of system to remember them for you.

As the saying goes, “there’s an app for that.” Modern browsers have built in features to store your passwords, which is a starting point if you’re only using one device. When you enter a login and password into a website, your browser will usually show you a message to the effect of “Chrome would like to save your password. Ok / Not now / Never for this site.” It gets a little more complicated if you want to save your passwords across different devices – say, your phone and your laptop. But there are a number of services that can help with that (including our own free product).

At first it will seem annoying, but once you get in the routine it will become automatic, like locking your car door at the supermarket. The habit will form and you’ll internalize better security as part of your normal online life. So, the next time you’re creating a new account (or doing some Spring cleaning on your online accounts!), don’t just use the same old password. Generate a strong, random password, and store it in your password manager of choice (we recommend Kitestrings, of course).