Why your passwords suck..

Passwords. A string of random characters, letters, numbers, words, or phrases used to verify a person’s identity. A string of nonsensical characters that separate us from our finances, our medical records, our school information, our entire digital life. 

It’s amazing how much power these random characters hold over us, how much they can do. How a simple set of numbers or letters can represent us in the digital world. Just like your ID card or passport lets people know what country you’re a citizen of, your passwords let companies, websites, and digital products know who you are.

The concept of passwords is thrilling yet scary. The idea that you don’t have to be physically present to verify your identity before getting access to the deepest private information is amazing. But the fact that anyone in the world can pose as you by simply finding out what this random string of characters is can be terrifying.

When we think of passwords, we think of logging on to our favorite websites, standing at the ATM to withdraw cash, or getting into our phones and computers. When we think of passwords, we think of the digital world. But the truth is, passwords existed long before computers.

Just like many other technological innovations, the use of passwords began in the military. To figure out who was friend or foe, soldiers would create passwords that were passed around camp. When they encountered a stranger, the person was then asked for the password to verify their identity. If the intruder didn’t know the password, the soldiers would know that they were foe and take them prisoner.

Over time, this use of passwords evolved into a password and counterpassword system. In the opening days of the Battle of Normandy, the US 101st Airborne Division created the password “flash,” but with a twist. The word “flash” was a challenge and the reply to that which was the counterpassword was “thunder.” This was only one of the many passwords and counterpasswords they used, as they created a new one every three days before it got compromised.

Now you can say that “flash” and “thunder” are pretty simple words, maybe too simple for enemy soldiers to figure out, and you’ll be right. But the thing about passwords is that, as much as they need to be complex so they aren’t easy to crack, they also need to be easy enough to remember, else you get locked out of your own troop. 

And to date, this is how most people still choose passwords. Even at a time when we have password managers and various other ways to store complex passwords so we never have to remember them all, more often than not, people choose passwords that are super easy for them to remember.

Usually it’s a name. It could be theirs, a significant other, a pet, or a family member. Whoever it is, more than half of Americans use names as their passwords. Michael, Jordan, Jennifer, Hunter, Harley, Buster, Andrew, Charlie, and Robert being the most common. 

When people think of passwords, they often think of protection, and when people think of protection, well, we all think of... superheroes, right? So passwords like dragon, master, superman, and batman, are all extremely common. They don’t just show the characters we like the most, they also show how much importance, hope, and trust we have in these characters to protect us, even when they aren’t real.

Sports have a similar effect on us. We might not look to these teams and players to protect us like superheroes, but we look to them for strength, for hope, for joy, for laughter and entertainment. Sports bring happiness to billions of people around the world, so it’s no surprise that when these people are asked to come up with a special word they can never forget, they pick the sport they love the most. Baseball, football, and soccer are the most commonly used passwords relating to sports.

And when you dig deeper, European football teams like Manchester United, Chelsea, Arsenal, Barcelona, and Liverpool are all very frequently used as passwords in one form or another. Truly, you never walk alone. There’s a chance I’ve probably mentioned part of one of your passwords already; they’re all different, but strikingly similar.

When we’re not picking passwords with our hearts, we’re coming up with them with our heads. We try to be smart and cheeky, clever and quirky. We pick things like letmein, trustno1, abc123, and everyone’s favorite, “password.” More often than not, when we choose passwords like these, we think of them as unique. But when you consider the fact that the word “password” is the second most commonly used password in the world, you realize that we humans are, in truth, very predictable. 

Although they are called passwords, passwords are not always words. Sometimes they are simply a string of random characters, and other times they are numbers, passcodes, or personal identification numbers, PINs. 

When faced with the challenge of coming up with a number for a password, most people pick the most significant date in their lives. Sometimes it’s a birthday, other times it’s an anniversary. This is especially true for PINs that require just 4 digits like ATM transaction pins. 

When people aren’t choosing 1984, or 2002, 1 through to 9 is most commonly used, with the length dependent on how long the password needs to be. So whether it’s 123456, or 12345678, 90, 12345, or simply 1234, many times it starts with a 123. Sometimes there’s an abc and then a 123 attached. 

And when it isn’t simply numbers from 1 to 0, it’s six 6s or seven 7s, or 696969. Most people when asked to come up with a passcode try to come up with something easy, something they can visualize, something they can easily remember. 

There is one method people use to come up with passwords that you might not figure out right away.

Qwerty, qwertyuiop, qazwsx, 123qwe, zxcvbnm, asdfgh.

On first glance, these might look like really strong passwords. They’re not names of family members or pets, they’re not our favorite superheroes or sports teams, and they’re so random you can’t possibly guess them, right?

Well, wrong. You see, all of these passwords are doing something called “password walking,” which is basically creating a password by simply typing out all the characters that sit together on a keyboard. 

Now look at these passwords again: Qwerty, qwertyuiop, qazwsx, 123qwe, zxcvbnm, asdfgh, notice the pattern? Your fingers are basically walking through the keyboard as you type them in. They might look convincing, but the truth is they are not very secure. You’re not the first person to try this, and you won’t be the last.

It’s surprising to see just how easy our passwords are to figure out. The patterns in the way we come up with these seemingly random string of characters, our collective reasoning for picking “password” as our password. 

We understand just how important these words are, so why do we put in such little effort into coming up with them, knowing how dangerous it could be if someone figured them out?

When we think of someone hacking into an account, we often think of a programmer with a black hoodie in a pitch dark room with 100 monitors and nothing but the sound of clicking keyboards filling the atmosphere. But the truth is, most hacking is simply just someone guessing your password successfully or just finding it on some leaked database out there. It’s a lot simpler than you’d imagine sometimes.

There are a number of ways hackers use to find your password, and the most common is called the dictionary attack. The dictionary attack tries every single word in the “dictionary” against the password, until there’s a match. Contrary to what you might think, this isn't just a normal dictionary. 

This dictionary is a file that includes all of the most commonly used passwords. To understand just how much information is in this file, every single password mentioned in this video is in the top 50 most commonly used passwords, and the dictionary file can contain the most commonly used thousands or even millions of passwords.

Research has shown that around 68% of Americans use the same password on multiple accounts. And to be honest, we’ve all been there. There’s yet another site asking you for a username and password every single day, and there’s barely enough space in your brain to remember your old password that coming up with a new one is just impossible. 

But the problem with using the same password for multiple accounts is that once a hacker gets a hold of one of your accounts, they automatically have access to all of them. Yes, the big names like Apple and Google might have a lot of security details protecting your passwords, but what about that small obscure site that you registered on many years ago now? Who knows, the company might now be bankrupt and have no means of keeping the password of their users safe, or in the worst case scenario, they sell that information to someone shady.

Once your password for that account is discovered, your entire digital life is in jeopardy. Immediately, someone from anywhere in the world could have access to your work life, school life, finances, medical records, everything. And there’s nothing any of the big companies like Apple and Google can do about it. 

Sometimes our passwords aren’t hacked or discovered or stolen, we willingly give them to other people. Research has shown that around 37% of people share their passwords with others. This is most likely down to streaming services like Netflix and Hulu. This isn’t surprising when you discover that 88 million streaming accounts are “borrowed.”

Now imagine you give the password of your Netflix account to your friends and family, but that’s also your password for everything else. That’s like sharing the key to your house, your safe, and all your personal belongings with everyone.

Now at this point I’m sure we’re all wondering, so how exactly then do you create a “strong” password? What even is considered “strong” to begin with, aren’t they just all numbers and letters anyway? Well, the first thing you can do is to choose multiple words that are completely unrelated. You can mix words in different languages, use the name of a local business, or a family secret that’s been passed down from generations. 

Instead of just using Michael as your password, try “BonjourSouvenirMonalisaThe3rd.” Although the words are completely random, a password like BonjourSouvenirMonalisaThe3rd paints you a mental picture that’s completely unique to you, something that no dictionary attack will be able to figure out.

When we try our best to make our passwords secure, we often end up with a leetspeak version of everything we’ve been talking about up until this point. Leetspeak is basically replacing standard letters for numbers or special characters that look like them. So Michael becomes M1ch@3!, Jordan becomes J07d@n, and Jennifer becomes J3nn1f37. And while these are certainly more secure than plain text, they are still very susceptible to hackers because of how popular they’ve become. It might’ve worked at first, but then everyone started doing it, and now that everyone’s doing it, it’s easier to expect.

So instead of swapping out letters for their leetspeak variants, try inserting completely random characters into the mix instead. It could be the currency sign that’s unique to your country, or perhaps a code that has some sort of significance to you. Something that’s easy for you to remember, but difficult for anyone else to guess as part of a regular word. 

Passwords have been around since the beginning of computing. But it seems that we may be seeing the very last of them. Because the truth is even the longest string of random characters completely devoid of linguistic meaning that’s unguessable by even the best of systems, can still be separated from the user and used at any time and from anywhere in the world. 

This is why in recent years, biometric verification has become more commonplace. Every modern smartphone now comes with either a fingerprint sensor or an iris or retina scanner, sometimes both. You can now make purchases on App Stores, log into your mobile banking platforms, and even make purchases in real life, without a password, using these biometric methods of authentication. 

With these new ways of authenticating a user becoming more popular, all of which are a lot more secure than the password, slowly the world is moving to a point where we will completely abandon the use of passwords for digital security.

For now, however, the best way to protect yourself from getting your data stolen through your password is enabling two-factor authentication. Most companies now offer 2FA and where possible, this is for sure your best bet of keeping your information safe and secure. 

There are three main methods of authentication - something you are, something you know, and something you have. Two-factor authentication basically combines any of these two to verify you. 

Something you are is biometrics. So your fingerprint, your iris, or your retina. These are things that are in you and cannot be detached from you, well except under gruesome circumstances. But all things being equal, these things are who you are, they are completely unique to you, and no one else can have those things except you. 

Something you have is either your phone, a physical key or a token, or your SIM card. Usually companies will send a unique code to your registered phone number to ensure that you have the SIM card that’s trying to log into their service. 

Finally, something you know is a password.

When you combine two of these three, say a fingerprint scanner and a password, or a physical token and a PIN, you get the most secure type of authentication available right now.

So next time you’re on a website and they ask you for a password, take some time to think about it. Don’t type the first thing that comes to mind, because chances are that it’ll just be “password,” and that’s like putting a “closed” sign in front of your house, but still leaving the front door unlocked.

And I don’t know about you, but I don’t like unwarranted visitors. Stay safe, your life literally depends on it.

- EE, MM