From a statistical perspective, your passwords likely aren’t very strong. That’s the conclusion reached by a group of cybersecurity researchers who examined over 19 billion compromised passwords, discovering that merely six percent were unique.
Cybernews analyzed publicly accessible information from 200 data breaches and leaks that occurred since April 2024, searching for patterns and similarities among the exposed passwords. Just over a billion passwords were robust enough to withstand dictionary attacks, while the vast majority were weak.
(To quantify this: Nearly 18 billion passwords were ineffective.)
So, who ranks as the worst offenders? A few familiar names in the hall of password failures include password, admin, and 123456. Cybernews revealed that both password and admin appeared 53 million times in the dataset, while 123456 was found a staggering 338 million times. Furthermore, approximately 727 million passwords included the sequence 1234, making up nearly four percent of the dataset.
If you’re curious about what constitutes a weak password, the answer is quite straightforward: it’s anything that can be easily guessed—whether by people or computers. Nowadays, password-cracking software utilizes dictionaries and information on commonly used patterns (such as substituting letters with numbers or symbols), making these tools significantly more effective at breaking passwords.
Among the unique passwords, several trends were also noted. In terms of length, the most frequent was eight to 10 characters, with 11 characters coming in a close fourth. Presently, eight characters typically represent the minimum requirement. At least 12 characters are now viewed as the standard for enhanced security.
In addition to length, the makeup of these unique passwords contributed to their vulnerability. Nearly one-third of these unique passwords (27 percent) consisted solely of lowercase letters and digits. Another 20 percent incorporated mixed-case letters and numbers but lacked special symbols.
While these combinations are an improvement over using only lowercase letters, they remain susceptible to brute-force attacks—where software systematically tries various character combinations to crack your password. The shorter and less varied your password is, the more easily it can be compromised using this method.
So, what can we learn from these insights? First and foremost, passkeys now stand out even more favorably in contrast. This newer alternative login method eliminates the need for memorization, is resistant to cracking and phishing attacks, and eliminates the requirement for typing or copy/pasting. If you haven’t started utilizing passkeys yet, it’s time to do so. They represent a significant advancement over traditional passwords.
If passkeys aren’t an option for you, consider taking these four steps:
1. Steer clear of easily recognizable words and phrases in your passwords.
2. Create unique passwords that are at least 12 characters long and include a mix of upper and lowercase letters, numbers, and special characters. The longer your password, the better, as computing power continues to increase. The accompanying chart illustrates how quickly AI could crack passwords in 2023—which was already two years ago.
3. Implement a password manager. Expecting to remember dozens, or even hundreds, of passwords isn’t feasible. A password manager alleviates that burden, allowing you to craft much more complicated (and thus stronger) logins. Your bank allows passwords up to 50 characters, so why not take advantage of it?
4. Activate software-based two-factor authentication (2FA) whenever possible. It’s best to use a separate application like Bitwarden Authenticator or Google Authenticator to generate your one-time codes. Text-message-based 2FA is another option, though it’s not as secure. If you opt for this, ensure you set a PIN on your mobile account to prevent number porting and safeguard the account with a strong password and 2FA to reduce the risk of account takeovers and SIM swapping attacks.
Improved password security may seem overwhelming, but it doesn’t have to be. Start with your most critical accounts and gradually extend your efforts. In time, you’ll leave behind the era of “password123456.”
You should secure your password manager with a single unpredictable master password, which you must remember yourself. Here’s how to go about it.
Most people are not fond of passwords. Eventually, they might be superseded by a new method, perhaps passkeys or something yet to be developed. However, many of us still rely on passwords daily, sometimes dozens or even hundreds, and recalling them all is simply impossible. If you pick an easily guessable password like your birthdate or your pet’s name, hackers can figure it out quickly. Even if you put in the effort to memorize an extremely random password like 4Y3s}#Rhkg7Y;A’5, it becomes ineffective if you use it across multiple sites, as a breach at any one service can compromise all your accounts. The best solution (and it’s a solid one!) is to utilize a password manager. With this tool, having a unique strong password for every site becomes effortless. We’ll guide you through the process.
Difficult to Guess Often Equals Difficult to Recall
Comprehensive password managers work seamlessly on all your devices, including desktops, laptops, smartphones, or tablets. They create unguessable passwords like Z~/NQ”e5=|OO=qf9, store them for you, and automatically log you into your secure sites with the stored credentials.
However, there is one drawback to this plan. Almost every password manager requires a master password to lock away all those individual passwords. The master password must be extremely secure because anyone who knows it can access all your protected sites. It also needs to be memorable, in contrast to the nonsensical strings produced by random password generators. If you forget the master password, no one can assist you. The upside is that a dishonest employee can’t access your password vault, and the NSA is unable to compel the company to hand over your information.
Assuming you’ve taken all the right precautions regarding security, such as installing antivirus software or a security suite, employing a Virtual Private Network (VPN) to encrypt your network traffic, and utilizing a password manager to manage your many passwords, you still face the challenge of remembering one incredibly secure master password to safeguard that password manager. Here are some suggestions for creating a password that is both memorable and secure.
1. Create Poetic Passwords
Everyone has a beloved poem or song they can easily recall. It might be a line from a Shakespeare play, a Taylor Swift song, or something humorous by the Bonzo Dog Doo Dah Band. Regardless of the text, you can transform it into a password. Here’s how.
Begin by jotting down the first letter of each syllable. Capitalize the letters for stressed syllables and keep any punctuation intact. Let’s use this line from Romeo and Juliet: “But soft, what light through yonder window breaks?” From this, you would derive bS,wLtYdWdB?. You could append A2S2 for Act 2, Scene 2 if that is something you’ll never forget. Alternatively, use 1597 as the year the play was published.
If the chosen passage lacks a strong rhythm, you can simply take the first letter of each word while maintaining the original punctuation and capitalization. Starting with the quote “Be yourself; everyone else is already taken. – Oscar Wilde”, you could create By;eeiat.-OW. Including a significant number would complete your password, possibly 1854 (his birth year) or 1900 (his year of death).
Your poetic password will undoubtedly be distinct from these examples. You’ll begin with your personally meaningful song or quote and transform it into a one-of-a-kind password that others cannot guess.
2. Use a Passphrase as Your Password
Experts in password security repeatedly suggest incorporating all four character types: uppercase, lowercase, numbers, and symbols. The logic behind this is that by broadening the character pool, you significantly increase the time required to crack the password. However, simply making it longer also complicates cracking, and one effective way to create a lengthy, memorable password is to use a passphrase.
3. Extend Your Password Length with Padding
Renowned PC expert Steve Gibson advocates that the key to robust, lengthy passwords is to add padding. If an attacker is unable to break your password via a dictionary attack or other simple methods, the only option left is a brute-force attempt on all possible passwords. Every additional character significantly complicates this attack.
Gibson’s website features a Search Space Calculator that evaluates any password you input based on the types of characters used and the length. The calculator estimates how long a brute-force attack would take to crack a specific password. It acts as a cracking-time meter rather than a password strength gauge, and it’s enlightening to observe how the estimated cracking time increases with a longer password.