2019’s Worst Passwords

If one of your passwords resembles one of the top 100 “worst passwords” on the Teams ID list, then maybe it’s time to change those passwords. And fast.

Hackers are smart. The tools they have publicly available to them are smart too, with many of those tools, such as Elcomsoft’s Wireless Security Auditor, able to “guess” a password like “123456” or “qwerty” in minutes or less. According to Elcomsoft, their software costs just $300 and can test 650,000 passwords PER SECOND.

Again. That’s PER SECOND.

Worst Passwords Equal Data Breaches

Literally, billions of records were stolen in 2019, like Orvibo at 2 billion records, MyFitnessPal at 151 million and Capital One with 106 million records stolen. The top reason: Bad passwords, according to Security Magazine‘s list of top breaches. Managers and IT didn’t take the time to button down the format of password they wanted.

Don’t want to make 2020’s data breach list. Start by using Teams ID’s worst passwords for 2019 as a guide:

  • 123456
  • 123456789
  • 1234567
  • qwerty
  • password
  • 123123
  • 111111
  • iloveyou
  • 12345
  • 12345678

See the pattern? The worst passwords are combinations of keys you might enter on your keyboard.

Other patterns might include:

  • Those same passwords with a special character added, like “passw@rd” or “123$456”.
  • The use of well known numbers, like “911” or “456”
  • Weak passwords, but in a foreign language.
  • Dates, since they are a pattern by themselves and weaken your passwords when using them.
  • Anything under 20 characters.

Really safe passwords are really passphrases and use a combination of letters, numbers, special characters and capitalization. And passphrases can be super easy to remember and really hard to break.

Check out the common “passw@rd”, as reviewed by KeePass, a password manager:

The quality is barely 24 bits, which according to modern data scientists, is easy to crack.

Password Complexity is Good

Better is a passphrase, which is still easy to remember, but much more complicated to crack. The following is both visual (so it’s easy to remember) and uses letters and numbers that are less used in passwords, like 9 and 8. At 32 characters, it also represents 145 bits, which is much harder to crack, even for hackers with very powerful computers.

The more “bits” in a password, the better the password. Data scientists say that password between 25 and 96 bits are generally harder for computer systems to crack. However, if you can go even higher than 96 bits, go higher. Complexity will never hurt in a password. Simplicity will.

Don’t want to make 2020’s “Worst Password” list? Then:

  • User a password manager like KeePass.
  • Either use a longer passphrase or let KeePass auto generate a password for you.
  • Stay away from anything that’s a pattern.
  • And change every three months or less.