Internet Security Fundamentals - Online Edition

31 Passwords

When it comes to passwords, the truth is that we are very good at creating hard passwords for people to figure out (and for us to remember) but very easy for computers to figure out. Past advice of adding numbers, capital letters and non-standard characters will probably help thwart other people trying to guess your password, but what used to take years of computing power at great expense to crack by guessing every possible combination, now takes days, minutes or even seconds, depending on how much computer processing power the cybercriminal has access to (together with the right know-how).

 

Also, every month there seems to be some reason that forces us to change our passwords for various online services, whether due to malicious hackers, viruses, security flaws or system updates. Sometimes this is due a discovery of a major global issue like the Heartbleed security flaw which affected approximately half a million online servers that use OpenSSL cryptographic software. This is the software that puts the S in HTTPS and the padlock icon in the browser to say that the password details you’ve just typed is encrypted and secure, or so they thought.

 

So, it is no longer a case of choosing a good strong password that you can remember. It is a case of choosing a password that you should expect to change a few times a year for each online service you use, though hopefully you won’t have to. Avoid using words and numbers associated with you that could be found on social media in any of your passwords. So, no children’s names, birthdays etc. If you can, mix up numbers into the words and use a phrase or string of words that will not appear in a dictionary. For example:  f0rexamplE: or Ch1ckenKebab5WithRice, but for really strong passwords that are easy to remember, use unrelated multiple words with additional numbers and characters like rhubarbBricks@0090 or BubbleToadBurgers42. It can be handy to mentally replace the word ‘password’ with ‘passphrase’ whenever you see it to get used to creating longer more secure passwords. If you can string three or four unrelated words together (and add a number or two because sometimes you are forced to) you will have a very strong password. But remember if you write it down, someone else may read it, so do not include everything else needed to access the service like your username and the website.

 

Daily, millions of passwords are posted on online sharing sites or sold on the internet, but many are extremely easy to guess. To give you an idea of the scale of the problem we face, every year NordPass compiles a list of the top 200 most commonly used weak passwords. Unfortunately, not a lot changes year on year. The 2024 research is based on a 2.5TB database covering 44 countries, extracted from various publicly available sources, including those on the dark web. For more information see: https://nordpass.com/most-common-passwords-list/

 

These are the top 30 most commonly used weak passwords of 2024 according to NordPass:

01.  123456 07.  111111 13.  000000 19.  dragon 25.  Password
02.  123456789 08.  12345 14.  qwerty 20.  monkey 26.  654321
03.  12345678 09.  secret 15.  abc123 21.  123123123 27.  target123
04.  password 10.  123123 16.  password1 22.  123321 28.  tinkle
05.  qwerty123 11.  1234567890 17.  iloveyou 23.  qwertyuiop 29.  zaq12wsx
06.  qwerty1 12.  1234567 18.  11111111 24.  00000000 30.  1q2w3e4r

If you spot one of your passwords in the above list, please change it for a much stronger one using the guidance in this chapter as soon as you can. There are also other ‘Worst Password’ lists by companies like TeamPassword, who maintain a top 50 annual list, compiled from passwords found in data breaches and dark web listings, as well as those that are easily guessable, at: https://teampassword.com/blog/worst-passwords-2024-password-security-tips

 

There are also others lists that are used by criminals as part of their password guessing systems or brute force automation scripts. One of these like the one below is based on variations of the word ‘password’ which is more common than you think. Once again, if you spot one of your passwords in the list or something similar, please change it to something completely different, rather than yet another variation of the word password.

p4sSw0rd PASSWORD p@sswOrd P@$$w0rd p4ssword
p4Ssw0rd p455word P@sswOrd P@55word p@55w0rd
PaSsWoRd p455wOrd p@$$word PasswOrd P@ssw0rd
PASSword P455word p@$$wOrd P4ssw0rd p@ssword
pa$$w0rd P455wOrd P@$$word P@55w0rd p4ssw0rd
p@sSw0rd p4sswOrd P@$$wOrd P@ssword pa55w0rd
p@Ssw0rd P4sswOrd P455w0rd p@$$w0rd passw0rd
Pa55w0rd p@55wOrd P4ssword Passw0rd p@ssw0rd
Pa55word P@55wOrd p@55word Password password
pa$$word passwOrd pa55word p455w0rd  

The United States National Institute for Standards and Technology (NIST) has guidelines for the US government and recommends a minimum password length of 8 characters and a maximum of 64 characters, though personally I would aim for a minimum of 16 characters which is easy to achieve if you combine to three or more words into a passphrase. NIST now also recommends not changing your passwords unnecessarily and only changing them if you think a password may have been compromised (e.g. by a breach or phishing scam) or you have forgotten it, instead of constantly changing it after some set time period of time like every 90 days. 

 

Try not to use the same password for different online services in case one is compromised, as password reuse is becoming a major problem. The criminals have ‘credential stuffing’ automated systems for checking a vast array of online services to see if an email address and password combination has been used elsewhere. You can quickly run a free check to see if you have an online account that has been compromised in a data breach by visiting https://haveibeenpwned.com and entering only your email address. If it finds anything, you can then update the associated password for the compromised account. Be wary of any websites that claim to check if you have been compromised that require you to enter both an email address and password. Also, see the chapter on two-factor authentication for advice on how to protect yourself from password breaches. Here’s the results from my personal email which has been compromised five times.

As you can see, I’ve had to change my password quite a few times over the past four years. Remember to manually visit any websites you wish to update a password for, rather than follow any links advising you to reset your password because a service has been compromised. It is quite common for criminals to use the news of a database breach and spam everyone with a fake password reset email.

 

Check https://haveibeenpwned.com at least once a month, if there are any results, update the password immediately for that service and any other online services where you may have used the same password. To save you returning every month to recheck, there is a free email alert option which is worth doing, to sign up click ‘Notify me’ at the top of the website. You will then automatically receive an email if your account is compromised in the future.

If you have a lot of website passwords (I know I have more than 50 myself), a password management service like Bitwarden https://bitwarden.com,  LastPass https://lastpass.com, Dashlane www.dashlane.com or F‑Secure ID Protection www.f-secure.com will make life simpler as you will only have to remember the one super secure master password. The basic service is often free, even if you use a smartphone or tablet, but you will need to upgrade to a Premium account to get the most out the systems across multiple devices, which typically start at $2-$3 a month. Family plans are also available and worth considering, either way, try a free account first and see how you get on. You may be happy with the basic free service and not need commit to any of the premium plans. For many people, Bitwarden, which offers two different free personal plans is a good place to start. 

 

To get the most benefit from a password manager, you need to create a really strong master password that is unique and something that you can easily remember, without being guessable by others. Something like: My1Super-DupaPassword! (please don’t actually use this one).

It is important to understand that if you forget your master password, you may be permanently locked out of your account, unless you have setup any recovery options.

 

An alternative to a password manager service is the built-in password manager in many modern web browsers. Here the master password is effectively your device login or online identity, for example a Google account, Microsoft ID or Apple ID. Just like a password manager the browser can suggest strong passwords and automatically save them for you. The passwords are also synchronised to another other devices you also used the same identity for, whether that is a mobile device or another computer. It’s less secure than a standalone password manager.

 

If you do not use any password managers and have complex passwords, you will probably have to write them down (or write hints that you will understand) and put them somewhere safe. Just don’t keep them on you in a wallet or purse, because if you lose it, you will have an even bigger headache to deal with. Now just because you write something done, that doesn’t mean you cannot protect it. Obfuscation in the form of extra numbers or letters at the beginning or end of your password will mean that even if someone copies it, they won’t easily be able to use it, and will hopefully give up and move on to another target. And let’s not forget you can always protect anything you write down with bad handwriting, so long as you can still read it back yourself, otherwise you will have to resort to the password reset options.

 

Resetting a password has its own set of issues though. If you use an email address that is tied to a particular service like a broadband account, changing providers may mean you lose access to that email address, which stops most password reset procedures if you forget a password. Ideally, where password reset options include a secondary email address, enter another email address you trust (either one of your own or next of kin’s) if your email address is not independent of another service. Consider moving to a free mainstream online email address like Outlook.com or Gmail, or at least create one as a secondary address.

 

Also, it is no good having a really strong password for an online service, with really weak password reset questions that can easily be found online by searching social media. Questions like, what school did you attend and what city were you born in, are best avoided. Remember these questions can have made up answers, or typos on purpose. There’s nothing to stop you putting your first school as Hogwarts or that you were born in Asgard, so long as you remember which online services these answers are connected to.

 

Lastly, now that many of the products we buy are purely digital and that we store personal data like photos online, make sure that you include account login details and passwords in any wills or at least details of where loved ones could find them. Allow for the fact that as we get older, our memory may be affected, so while you may quite happily remember 20 different passwords today, you may one day need a good password manager, so you only have to remember one master password. 

Index or next chapter Data Breaches


Like what you see? Purchase an offline copy (PDF is updated quarterly)
Also, volume Licensing available for up to 100 copies from £0.40 a copy