By now, everyone who uses the internet has been told they need to set strong passwords on their accounts. Some follow that advice, and some sites even force us to add a little complexity, but many still don’t. Every time another site is breached and security researchers find the account credentials circulating among criminals on the dark web, we still see lots of passwords set as “password” and “123456 `” or even the site name like “evite”, “dubsmash”, etc.
Clearly the message is not getting through.
At a basic level, I think everyone understands the logic behind picking longer, more complicated passwords that are harder for bad actors to figure out and therefore better to protect sensitive and valuable information. When the rubber meets the road however, it’s clear that consumers’ bad password habits are still very much prevalent. Part of it I’m sure is laziness, and the other part is probably a sense of “why would someone go to the trouble to target little old uninteresting me”?
The answer is that criminals can and will target you and millions of other online users randomly and opportunistically.
The reason is that the proliferation of stolen or leaked-breach databases has given rise to ‘credential stuffing,’ a fairly simple technique in which hackers load lists of stolen credentials (called combolists) into automated brute-force tools to test stolen passwords against thousands of other websites.
Even creating an incredibly long and complex password is rendered meaningless if you’ve reused it. If one account is breached, criminals will eventually test the passwords on every other account associated with that email address or username – because they know that most people reuse passwords.
Many consumers have improved their password hygiene by picking passwords that are unique across accounts. But instead of coming up with completely new and unique passwords, they add or swap out a letter, number or special character at the end of the password. So instead of “password,” they make it “password1” or “password%.” Some get even more creative and capitalize or repeat letters within their passwords (“passWORD” or “passworddd”). Others flip-flop sections of letters (“wordpass”) or reverse the entire word (“drowssap”). While slightly better than “123456,” these passwords are still extremely vulnerable.
Now you may be thinking you have nothing to worry about because your password is “password#” or “wordpass%.” Criminals are a step ahead of you there too. They already know the most common additions and adjustments people make to the most common passwords, and they use different attack methods to quickly test all those variations.
That’s where using longer and more complicated passwords becomes important. The longer and more complex a password, the harder it is to crack. Hash cracking tools require more computing power and time to brute force through all the combinations of letters, numbers and special characters. At some point, it stops being worth the time and effort, and they will just move to easier accounts to crack. As the saying goes, you don’t have to outrun the bear, you just have to outrun the other people.
The worst thing people can do is think they have an unbreakable password. That is exactly what cybercriminals want people to think, so it’s critical not to get complacent with password practices. Adjusting passwords so they aren’t exactly the same on multiple accounts is the minimum everyone should do, but we know that simple adjustments such as re-ordering the letters and characters aren’t foolproof. It’s much safer to set long, complex and completely unique passwords for different accounts with a password manager so you don’t have to keep track of them all.
Let’s stop making it easy for cybercriminals. They’re an innovative bunch, but too often they are profiting from our lazy password habits.