Google reveals top 10 most weak and common passwords

Google

Always remember your password strength is vital on the Internet, especially if you have sensitive information saved in your email account, social networks, or cloud storage. Recently Google did a study consisting of 2,000 people understand the procedures used to create passwords. At the end of the day, many users chose passwords that are so simple even a caveman could figure it out.

What’s even more interesting is how 48 percent of the 2,000 people shared their password with someone else. That’s a sure way of having your privacy being breached without your knowledge, so don’t you ever share your password with a third-party, not even your mother.

The top 10 weak and common passwords are as follows:

•Pet names

•A notable date, such as a wedding anniversary

•A family member’s birthday

•Your child’s name

•Another family member’s name

•Your birthplace

•A favorite holiday

•Something related to your favorite sports team

•The name of a significant other

•The word “Password”

Right this very moment, some poor guy is logging into Facebook using the word “Password” without a care in the world. Nevertheless, that’s OK, this guy will soon learn a vigorous lesson, one he will never forget in all his years to come and in his private moments.

Here’s our recommendation for a solid password, though we don’t always practice this method.

Make sure password length is at least 8 characters with numbers, capital and common letters all jumbled. In addition, never use the same password twice, every website you log into should have its own password.

If there’s a chance you might have problems remembering each and every password, how about giving LastPass a quick test drive? It stores your password in the cloud and can automatically log you into your favorite websites, though you’ll need to remember the master password. It comes in handy in many occasions; however, you never know for sure when some hacker will get a hold of LastPass information, so don’t rely on the service.

[via Techland]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

12 comments

  1. AFPhy6

    [@virtualguy]

    Yes. This is a very good technique which will force most “crackers” into using brute force mode. In my March post suggesting a good way to generate passwords (currently #47 on Ashraf’s updated article about passphrases- http://dottech.org/19574/how-to-create-strong-secure-passwords/comment-page-2/#comment-999138 ) I utilize a variant of your suggestion in order to customize my password for the site, transforming DotTech’s D/T into F/Y to use as my “word” delimiters, but I don’t rely on keyboard pattern.

    The most important thing, as you point out, is that each person use their own pattern idea, in a quest to get the cracker(s) forced into a brute-force mode instead of any type of dictionary-based or rule-based attack. For this reason I consider your proposal much better than passphrase.

  2. Verve

    Very nice technique….good use of mind, virtualguy. We’re going to take this one on for our passwords, with variations, of course!

    Thank you for taking the trouble to so eloquently explain your technique.

  3. virtualguy

    That is just a sample formula i made up on the fly. You might devise an even better formula. The consecutive keystrokes, for example, could be in the middle of the password, or at the end, rather than the beginning. Everyone could have their own formula for generating a keystroke pattern for each account.

  4. virtualguy

    [@Netpilot]
    Here’s what I mean. Take the domain name ‘Yahoo,” for example.

    Our keystroke pattern will have two parts. The first part will be 3 consecutive stokes, in UPPERCASE, of the third letter in the domain name. So, part one of our pattern is ‘HHH.” Simple enough.

    Part two of our keystroke pattern will begin with the first consonant of the domain name. It could also begin with the second consonant, last consonant, or the first or last vowel. Whatever you choose. But, you must apply the same formula to every domain, or have certain patterns for certain types of websites, so you only have to remember a couple of keystroke pattern modifications. Otherwise, it gets too confusing, just like passwords.

    The first consonant in ‘Yahoo’ is the letter Y. Since the letter Y appears on the top row of letter keys, our pattern will include only that row of keys, and the number keys. If we were using the second consonant, A, part two of our pattern would include only the middle row of letter keys, and the number keys. In other words, you stay on the row of letter keys that contains the letter that begins part two of your formula.

    In our keystroke pattern, we will use the Shift key to make every other letter in part two of our pattern an UPPERCASE character.

    Which direction does your keystroke pattern move on the keyboard? The rule is, if there aren’t enough keys to go in the direction you like best, then the pattern must go in the direction that allows an appropriate number of keystrokes to complete the pattern. For example, if you want your pattern to go right to left, but the starting letting in part two of your pattern is ‘W,’ then your pattern is going to be very short, because you run out of keys after Q. So, your pattern must go left to right. There are plenty of keys to the right of W.

    In our keystroke pattern formula, right to left will be the default direction of our keystroke pattern

    So, now we know part one of our example pattern is HHH (consecutive strokes of the third letter in the domain name), the keystroke pattern will include the number keys and the row of keys containing the Y key (first consonant in Yahoo), and part two of our pattern will move right to left on the keyboard, because there are enough keys to complete our standard pattern of at least 12 characters.

    Our pattern will alternate between the letter keys and the number keys, striking each adjacent key, moving right to left, using the Shift key on alternating letter (or number) keys.

    Our keystroke pattern will be:
    (Part 1) uppercase HHH, (Part 2, moving right to left) letter key, number key, Shift + letter key, number key, (repeat).

    In the case of Yahoo, this would produce a password that looks like this:
    HHHy6U7i8O9p0

    If you type that password repeatedly, you will quickly realize the pattern, and how brilliantly simple it actually is. It is simply a pattern of pecking keys in an up/down, right to left order (after the initial HHH).

    If our formula uses the second consonant in the domain name instead of the first, then the password for Yahoo would be:
    HHHa1S2d3F4g5

    If we apply the above formula to dottech.com, our password would look like this: TTTd3F4g5H6j7

    If our formula dictates that we alternate the Shift key on every other number key rather than letter key, our password would include special characters and look like this:
    TTTd3f$g5h^j7

    It may sound complicated, but its really not.

    The reason we start with three consecutive strokes of the same key is because it would be highly unlikely for a password generator to produce a password with the same character 3 consecutive times. This strengthens the password. You could make it 4 consecutive strokes, if you like. Whatever floats your boat.

    Base on the interactive Brute Force Password Calculator at GRC.com (www.grc.com/haystack.htm), our password from this keystroke formula would take 6.46 hundred centuries to crack with an “Offline Fast Attack Scenario.” Even with a “Massive Cracking Array Scenario,” it would take 64.65 years to crack.

    You might use a shorter keystroke pattern for less important accounts, and longer patterns for accounts that demand stronger passwords.

    Copyright © 2013 WD Banks. All Rights Reserved. dotteck.org is hereby granted permission to maintain this blog response content on this domain only. No other use or reproduction permitted without consent of the author.

  5. Netpilot

    [@virtualguy] Do you mean something like typing one key to the left (wrapping) of the original character, or inserting/substituting the number or symbol that is diagonally up to the left on the keyboard after every third character, etc.?
    Simple, handy, ingenious!

    [@Coyote] For the most part, you are correct – you can’t stop a major database breach. But we can’t live completely under a rock until things improve. The methods suggested here for creating and using better passwords prevent us from being the low-hanging fruit. I would bet that good password hygiene reduces the chances of being routinely hacked by better than 99%.

  6. Coyote

    So a lot of people use the same stupid passwords, and it looks like social engineering is the best way to get them. So in the end the best password is none at all, don’t use services that get hacked, and for services you must use limit your information you share and don’t keep large amounts of money in any 1 location. All this talk about random generation and extreme passwords with ascii codes and such is laughable, if the database that your password is used on is broken your password don’t mean diddly.

  7. virtualguy

    I don’t use passwords. I use keystroke patterns. I have a formula that I apply to every Web site. Every keystroke pattern is unique to that Web site. So, all I have to do is look at the domain name and apply my keystroke formula. All keystroke patterns are at least 10 characters. I don’t have to use any software to remember my passwords, or even write them down. All I have to remember is a very simple keystroke pattern that I apply to every Website or email address that requires a password. I’ve been doing this for years, and it works for me.

  8. Godel

    I would like to recommend PasswordMaker which is available both as an add-on to Firefox and a downloadable portable desktop program for Windows.

    PasswordMaker allows you to generate high entropy passwords from a single master key and the target website’s URL (or other text), in a reproducible fashion with a shit-load of options.

    Note that the settings can be a bit hard to find.

    To see all the goodies (in FF) select Advanced Options -> Accounts -> Make Selection -> Settings.

    While you may be worried about the single point of failure vulnerability, with all the optional variations available in the settings providing extra safety, I think the functionality makes it worth it. PasswordMaker also accepts drag and drop key entry from Neo Safekeys for extra protection from key loggers.

    I only use PasswordMaker to initially generate the password, then store and use the password from KeePass or Sticky Password.

  9. Netpilot

    [@Darcy] I’ve been using RoboForm for the past eight years. I also choose my own passwords so that I can log into sites when I don’t have RoboForm handy. (I hope that’s what you meant by ‘I can use them elsewhere if needed.’)

    Thinking about it, that reasoning is a fallacy when I consider that RoboForm syncs my encrypted passwords to ‘the cloud’ (their servers) and back to a couple of my computers for redundancy. I also syncs to the RoboForm app on my smartphone where I can look up any password if I need it.

    I suppose the whole ‘not completely long and random password’ thinking is a double fallacy when I consider that I have no business entering any of my passwords on any computer that’s not completely trusted and doesn’t already have my copy of RoboForm already on it.

  10. Darcy

    My personal favorite method of making a password is to use a quote. I take the first letter from every word in the quote and have a set pattern of substitution (not the common 0 = O pattern either) and a set method of determining which letters are capitalized. Not as easy to remember as a simple password, but a lot more secure.

    I do use Sticky Password for helping to keep track of them, but choose my own passwords. That way I can use them elsewhere if needed.