Quotes Icon

Andrew M.

Andrew M.

オペレーション担当副社長

"私たちは小規模な非営利団体のためにTeamPasswordを使用していますが、私たちのニーズにうまく対応しています。"

今すぐ始める

Table Of Contents

    computer login screen

    The Truth About Terrible Passwords

    December 11, 20204 min read

    Password Management

    “Password” is indeed a bad password to use. You are right to roll your eyes if you hear somebody has used it. But there’s a good chance your password sucks as well.

    Several times a year, mainstream and tech media will report on the latest list of the “worst” passwords. Several different organizations make an annual list but they almost always use the same (lack of) criteria. It’s simply based on how often the password appeared in leaked and stolen databases of account passwords.

    It's not the fact a password was in such a list that makes it “worst” in this scenario: the database being exposed in plain text form is the fault of the hacked website, not the users. Instead the logic is that a password being used most often makes it “obvious” and thus a terrible choice.

    Virtually every time this top ten comprises terms like “password”, “123456”, “letmein” and the occasional cultural reference: chances are “COVID” will be all over the lists for 2020. The usual media response is that such obvious terms appearing in the list prove the computer-using public are a bunch of idiots and society is doomed.

    The problem is that these terms appearing in the lists don’t tell us much useful about users as a whole because these terms will always be in the list. It’s completely circular logic because inherently the most commonly used passwords will always be obvious and predictable choices.

    What would actually be useful would be to know what percentage of all passwords fall into the “obvious category” or even what proportion are rarely used or even unique. That would tell us much more about trends in behavior.

    Let’s look instead at some of the factors that really determines how secure a password is.

    Table of Contents

      Dictionary Words

      A password that’s simply a word is about as bad as it gets, and that’s the case whether you use “password” or “rhubarb”. The former is certainly worse in the scenario of somebody literally typing in a guessed password to try to access an account. That’s a very small part of overall cybercrime, however, particularly given most sites will lock after a set number of failed login attempts.

      Instead, most attempts to crack a password involve thousands or millions of attempts, whether that involves bypassing the attempt limit or trying to decrypt a stolen database of encrypted passwords. The first run will often involve trying a list of words, which could be a list of known common passwords (including allegedly clever workarounds like “pa55w0rd”), the most common words in a language, or even a literal dictionary.

      This won’t usually be the only tactic an attacker uses, but a “real” word as your password puts you at much greater risk.

      Length

      The next step after a dictionary attack is a brute force attack. This involves literally trying every possible combination of letters and in this scenario, longer passwords are exponentially more secure. Think of it this way: you can guarantee to guess a single letter within 26 attempts. For two letters, you’d need 26 x 26 attempts, totaling 676. Follow this logic and simply using eight characters gets you to five trillion possibilities. Even with incredibly fast computers, it only takes a few extra characters to increase the average time to crack a password from a few hours to thousands of years.

      Special Characters

      Using just letters makes for a bad password for the same reason that length matters. For a single character, using numbers takes the number of possibilities from 26 to 36. Use symbols on the average keyboard and you can easily add another 26. Use capital letters rather than just lower case and that’s another 26. Even with a (very much not recommended) four-character password, you’re talking about the difference between 11 million possibilities and nearly 6 billion.

      The Most Terrible Password

      The truth is that while length and characters matter, the worst password is the one you use on more than one site. Whenever an unencrypted database of usernames and passwords gets exposed (either because hackers decrypted it or they found it stored in plain text), the first thing they’ll do is try the details on other websites and services, particularly ones that will grant access to sensitive personal data. When you reuse passwords on multiple accounts, you’re effectively putting all those accounts at the same level of risk as the least-well secured.

      The Truly Good Password

      The most secure password is one that’s unique to an account, is a good length (12 characters is often recommended as a minimum) and uses a combination of upper and lower case letters, numbers and symbols. If that sounds like it would be impossible to remember, don’t worry: it’s not smart to let your memory be a limit on your security. Instead the most practical way to generate and use unique reliably secure passwords for every account is a password manager. 

      パスワードの安全性を高める

      パスワードを生成し、正しく管理させるための最適なソフトウェア

      TeamPassword Screenshot
      facebook social icon
      twitter social icon
      linkedin social icon
      関連記事
      Family sitting around a laptop

      Password Management

      November 22, 202411 min read

      The BEST Family Password Managers: A Stress-free guide to Digital Security

      Simplify password management for your family with these affordable and secure options. Learn why TeamPassword and others are ...

      Employees standing around computer discussing code

      Cybersecurity

      November 15, 202410 min read

      Creating a Company Culture for Security | 5 Actionable Insights

      Security is both a technical and cultural issue. Employees who value and promote security will prevent cyberattacks, protect ...

      CPA working at computer using password manager

      Business

      November 14, 20246 min read

      3 Best Password Managers for CPAs and Accounting Firms

      CPAs need password managers that offer security, efficiency, and affordability. Learn about top options for managing credentials, sharing ...

      最新情報をお見逃しなく!

      このような投稿をもっと読みたい方は、ブログを購読してください。

      Promotional image