How to make a password strong and memorable / ua-hosting.company company blog / Sudo Null IT News

The most popular passwords 2021

A password is used to protect your devices and personal data online from unauthorized access. Our safety online is just as important as it is in the real world. But some people don't seem to understand this. Otherwise, why is the password 123456 in the first place? Almost 17% of users protected their account with this password. And here are the top 25 most popular passwords:

Top most popular passwords in the original:

This list includes 25 passwords, which make up 50% of the total 10 million passwords. Most of them are very predictable, even if they are long. But most of the passwords in the list consist only of numbers and are very short. 1q2w3e4r and zxcvbnm seem safer, but as soon as you try to type them on the keyboard, you will understand what is going on.

The question arises why 18atcskd2w and 3rjs1la7qe are on the list of the most common passwords. They are quite complex and you can’t just sort through them. But there is one theory, most likely, these are passwords that are used by many bots to send spam, it is generated once and used everywhere.

Do not use passwords from this list under any circumstances, and if you are using them now, change them so as not to put your personal data at risk. Here are some rules for choosing the right password:

Use different characters, letters, numbers, mixed-case characters, special characters, etc. to protect your password from brute-force attacks;
Avoid using terms, words, or phrases. Search programs first try the most common variants, and then switch to regular dictionaries;
Use - many users set easy passwords because they find it difficult to remember complex combinations. Password managers will store your passwords in a secure place and only give them to you when you need them;
Never, ever leave default passwords for your devices. It doesn’t matter that these are standard passwords for wifi or other IoT devices. This is equivalent to the fact that there is no password at all and anyone can access it.

Critical errors

Lead to fatal consequences. They are the result of an indifferent attitude towards data security.

Primitive and weak passwords

SplashData has been ranking the worst passwords of the year for several years. In 2018, the first ten places from the top 50 worst passwords looked like this:

Password

123456
password
123456789
12345678
12345
111111
1234567
sunshine
qwertry
I love you

If you look at the company's research over several years, it becomes clear that the situation is changing for the worse.

People continue to use primitive passwords, which can be combined into groups:

Two-word passwords: tanyatanya, dindin, “sashamasha”
Words with numbers at the end: ivanov1994, football2018, login1234
Issued by the system by default: guest, user, default
Words from English and other dictionaries: sweet, “family”, myhouse.
Words with letters replaced by numbers or special characters: 0ldboy, [email protected] , $elphi.
Keyboard character sequences: "ytsuken" or qwerty, "123456".
Well-known digital combinations: “112”, “0911”, “777”, etc.
Your data: filimovi, max-piter and others, which include address, phone number, etc.

Same passwords for all programs and services

Users can have the same login and password for all social networks and a dozen different sites. This is not safe, so it's better to do this:

For critical resources (email, payment systems, instant messengers and social networks), use complex and long passwords with arbitrary combinations of upper and lower case, numbers and special characters. Example: S9Scap$iDPRZ.
For important resources (training sites, alternative mailbox) - passwords where length is more important than complexity. Example: hrGbWzeCjZSqUl.
For not particularly important resources (forums, entertainment portals, torrent trackers), come up with simple, but not primitive passwords. Example: metHalPh.

In order not to remember dozens of passwords, you can use a special manager that stores them in encrypted form. True, it also needs to be protected with a master password and thought through where and how it will be stored. There is another piece of advice - change the characters in passwords for unimportant resources and not repeat them in passwords for particularly important ones.

Openly recorded logins and passwords

Some experts recommend not writing down passwords, but most likely you will forget them. In this case, you can write down, but do not store the written down passwords in accessible places:

Glued on the desktop or hidden under the keyboard or office equipment.
On your computer desktop in text files, it is better to hide them in a password-protected archive.
In the browser (especially for critical programs and services).

You can have a special notebook for passwords, but store it in an unobvious place.

Easily recoverable passwords

Attackers may not take the direct route: they will try not to hack, but to restore password access to the resource.

In this case:

Securely protect your recovery email.
Choose a secret question that only you know the answer to.

Discredited and expired passwords

If there are doubts that the password has been used by attackers or remains unchanged for a long time, you need to change it as quickly as possible - even before the service detects an attempt to hack your account:

Changing your password automatically increases the time it takes to crack it.
The time an attacker can spend in a system with a discredited password will be limited.

Serious errors

Lead to serious negative consequences. Are the result of ignorance in the field of data protection.

Short passwords

With a competent approach, the length of the password takes precedence over its complexity, because in this case the number of brute force options increases. Security researcher Mark Burnett argues in his book Perfect Passwords that a password of 12 to 15 characters is more secure than a short password composed of a random sequence of characters.

Instead of racking your brains over a complex password (which you can then forget), it’s better to take a simple and long one and add, for example, a few letters or numbers. Instead of [email protected] ^iL use bREsTeMPosParDATIckl .

Very complex passwords

Complexity is determined by two factors:

Ease of guessing. Depends on the method of storing the password and the purposes for which it is used.
Average number of attempts to guess the correct password. Depends on the length, character order, and how the password was created.

Very complex passwords (check out the example - mrCmTF%Lz^Y*k# [email protected] ) are difficult to remember. As a result, they begin to be written down on paper, on a smartphone or computer.

Meanwhile, American cryptographer Bruce Schneier recommends writing down such passwords on small pieces of paper and storing them in your wallet. Mnemonic passwords that are easy to remember will help solve the problem of using very complex options.

Illiterate use of special characters

Almost all services require the use of letters, numbers and special characters when creating passwords. This is an adequate requirement, but users distribute them unevenly in the password. For example, numbers and special characters are placed at the end of the password, and capital letters at the beginning - [email protected] . An example of an even distribution of characters in a password is [email protected] .

Ignoring Alternative Remedies

You can’t rely only on a complex password for the most important services. Sophisticated methods of phishing attacks, such as asking a friend in private messages to vote for him by clicking on a link, will negate this method of protection.

The solution is to use two-factor authentication: you enter a password and then receive an SMS with an access code to the resource.

Disadvantages and recommendations

Knowing the first and following the second will lead to the competent use of passwords.

Frequently changed passwords

If a person constantly creates new passwords - either voluntarily or at the request of management - sooner or later he will come up with each subsequent password simpler than the previous one, in order to make it easier to remember. For example, substitute a number at the end - “h0lst1”, “h0lst2”, etc.

It is better to immediately come up with long passwords and save them for a long time. If there is any doubt about safety, change it immediately.

Adequate attitude towards changing passwords

If you have created a strong and complex password, you should not think that they will immediately rush to crack it “to the bitter end.” For example, banks use very serious security measures, so hacking attempts often make no sense.

Using automatic password generation

No matter how responsible people are, they create passwords based on their own thinking patterns, and attackers know this. Research and analysis of passwords have shown that 40% of them can be guessed using software methods. Often, when a person comes up with a password, he indicates in it something that is directly related to him and/or his environment.

With automatic generation, the relationship between the password and the user’s identity is eliminated. A randomly chosen password is created from a huge amount of data and is very difficult to guess.

A side effect of auto-generation is the difficulty of memorizing (check out the example T2tgU#&y59kUOo^). The password must be written down. We have already advised how to store such records. It is important to consider that a password is only one and often not the most important means of protection. To understand how secure your data is, conduct an information security audit. If it is insufficient, it is necessary to increase the security level of the IT infrastructure as a whole, and, if necessary, assess its compliance with regulations.

conclusions

In this short article, we looked at the most popular passwords that users use to protect their accounts and systems. Be vigilant and do not make such mistakes. This is very important, first of all, for you.

Another way to create complex passwords:

Registration on any resource involves creating a login and password. A password is a combination of letters and numbers that is known only to its creator. It is entered every time you visit the site and is the main tool that ensures account security and protection against hacking. Therefore, creating an access code should not be taken lightly.

The combination should be as reliable as possible, not too long or too short. It is recommended that the password be easy to remember so that there are no problems logging into your account later. What password should I choose for Odnoklassniki? Thousands of registrants are asking this question.

How to generate a unique password and remember it without programs?

Do you need a password? Do you need a long password? Do you need a long password with numbers, capital letters and special characters? You will receive it and remember it, I promise! I'll tell you one proven trick.

It doesn’t matter where you register, on any site you leave personal information about yourself, protected by a password. The sooner you come up with a complex and unique password, the sooner you will accustom yourself to order and do everything possible to prevent your accounts from being hacked.

Yes, now the most important services use two-factor authentication. Even after finding out your password, the scammer will not log into your account, since you must confirm your login with a code sent via SMS to your phone.

But you have to admit, it’s not very pleasant to realize that your only password for all services has become known to someone. And now it’s only a matter of time before he tries to enter it on other sites in conjunction with your email. And there are bonus points in stores, your delivery addresses and other personal data.

The more popular the site, the more complex its password requirements. It’s no longer enough to just have a long password; you’ve probably encountered annoying and, at times, inadequate requirements more than once.

Password generation

If a person cannot boast of a wide imagination and come up with a suitable password, then a special program called “Password Generator” can come to his aid. It does not need to be downloaded and installed on a PC, as it is available online. In the search engine, enter the query “online password generator” and click the “Find” button. Open any site among the proposed results, set the generation options and click on “Create a password!”

The program will generate various combinations, among which the user can choose the option he likes best.

The main disadvantage of such passwords is that they are difficult to remember.

How to come up with a complex password?

There are several effective ways to come up with a strong password:

Mixing. We type the Cyrillic word in the Latin case, insert after each letter the numbers that are significant for you (house number, apartment number) or transform some letters into numbers (instead of the letter B we put the number 6, instead of I - 9I, etc.)
We type a word or phrase with spaces in the wrong places. For example, “my role.”
Enter the phrase by alternately pressing the Shift key. For example, VoT-VedZ@sAdA
We choose two words - an adjective (free) and a verb (run). Add a significant year, for example 1980, and any symbol. We get: Free19%Run80!
We come up with a password with spelling errors and supply it with symbols and numbers: CoCoy#&_Password.
We remember Russian folklore or poetry and encrypt the message. For example, take the proverb “Patience and work will grind everything down.” Let's write every first letter of every word in English in lower case, and every second letter in upper case. Let's put punctuation marks between words. We get: tE!i?tR?vS!pT.

A little difficult? But the password you come up with this way will be secure.

If you can’t come up with a password, use password generators:

https://howsecureismypassword.net/ – will indicate the time during which your password can be hacked.
https://www.microsoft.com/ru-ru/security/pc-security/password-checker.aspx – will show the effectiveness of the password.
https://pasw.ru/ – will create a password of any length and complexity.

Creating a password using the associative method

It is much easier to remember a password that the user associates with something. This could be the year of his birth, passport series, first and last name, name of his favorite sports team, name of a pet, etc. However, you should avoid matching the password exactly to the selected association. It is recommended to dilute these combinations with numbers or letters. For example: Artyom, born in 1991.

Artem1991 - unreliable
Art19em91 - reliable
aR91tE91m is very reliable.

It is encouraged to use dates as a password, but only if they are properly masked. For example, you can take only the date of a specific event known to you, which is known to a narrow circle of people. This could be the date of graduation from school or the day of the wedding. In this case, the main thing is not to forget the event itself. Using simple combinations like “1234567” or “Qwerty” can have disastrous consequences - these passwords are the most unreliable of all.

You can create a strong password with one little trick. Select a Russian word and switch the layout to Latin. For example, "Sunday". Enter this word by pressing the appropriate keys on the Russian keyboard. The result will be a combination of letters in the Latin alphabet, in our case - djcrhtctymt.

Save your password in your browser manager only if you fully trust your loved ones. Never record your password on your mobile device - if you lose it, attackers can take advantage of the loophole and use your account for personal gain.

Finally, when using proxy servers, you increase the risk of being defrauded. Most hacking cases occur in such situations. Try to avoid visiting social networks through a proxy server from your daily routine, but if this is not possible, change your password regularly.

How passwords are cracked

For brute force, there are programs into which a list of popular words and combinations (dictionary) is loaded. Such a list can be found in the public domain. The program substitutes combinations one by one, automatically, until it finds a working sequence.

How long will it take to select a combination?

Selecting a 4-character password does not present any difficulties for an attacker. In 2012, at a cybersecurity conference in Norway, a system capable of matching 348 billion hashes per second was demonstrated!

A hash is the transformation of information using a specific algorithm, which allows you to encode, store, and then restore this information.

If more complex hashing algorithms are used to store the codeword, for example, md5 combinations, then a sequence of 6 characters (letters of different case + numbers) can be selected in 95 minutes (speed of about 10 million sequences per minute). But in order to select a password of 10 characters, it will take more than two and a half thousand years.

Such values are achieved under ideal conditions: without restrictions on the number of attempts, and with maximum data exchange speed. In a real situation, hacking will take much longer

Passwords longer than 10 random characters are rarely cracked, because this will require hackers a lot of time and power, and why make such an effort if more than 10% of all sequences are variations of the numbers 12345 and the letters qwerty.

How passwords are cracked

Which passwords are weak?

A code consisting of letters in one case is extremely easy to crack. Especially if these are commonly used words, book titles, names of characters or events.

Complicating such combinations with the help of additional words will also not be enough: “This is my password” or “this is my cool password” will be guessed in the same amount of time.

How combinations leak into the network

First of all, less popular sites are hacked, without serious protection. Hackers make hacked accounts publicly available in order to enter all login+password combinations into dictionaries, using them in social networks, payment systems or email services.