Do you use any of these extremely popular – and eminently hackable – passwords? If so, we have a New Year’s resolution for you.
Security experts have been predicting the death of the password for well over a decade. But it’s still the main way we log-in to our online accounts and mobile applications. Why? Because we all know exactly how to use them. And many of us are reluctant to learn new ways. It may be time we did, because the truth is we don’t all know how to use passwords securely.
NordPass’s list of the top 200 most common passwords of 2022 tells us all we need to know. Passwords are a huge security risk. If yours is on the list, change it immediately. Even better, change the way you manage all of your log-ins. Waiting until it’s too late could cost you a lot of extra time, money and stress.
Why passwords matter
Our log-ins represent the keys to our digital lives – which today could be anything from our streaming services, online banking, and messaging, to ride hailing accounts and social media. Often we have card details and personal data stored in these accounts. That’s why they’re so popular on the cybercrime underground. One report from June revealed 24 billion usernames and password combinations circulating in online criminal marketplaces – a 65% increase on 2020 figures and nearly four for every person on the planet.
Criminals use a variety of techniques to get hold of passwords including:
- Phishing: One of the oldest tricks around. A scammer reaches out via email, text or phone pretending to be a trusted entity. Typically they’ll make up an excuse why you need to re-enter your login and other details.
- Brute forcing: Using automated tools, hackers can now use trial and error in an attempt to crack open accounts. Often they’ll feed in commonly used passwords to see if they produce a match.
- Credential stuffing: A type of brute force attack where hackers use previously breached passwords bought off the cybercrime underground. They then feed this into automated scripts to try in large quantities across multiple sites and apps simultaneously, to see if there’s a match.
- Keyloggers/info-stealers: Information stealing malware is sometimes spread by phishing emails or malicious mobile apps placed in app stores. Once on a device or machine it will covertly harvest passwords as they’re typed in.
- Shoulder surfing: Another oldie, and more common now that people are travelling again to work. Beware typing in passwords in public as they could be seen by eavesdroppers.
Once inside your account, hackers can steal any personal and card data stored therein. Or use it themselves in payment card and other fraud. The value of fraudulent payment card transactions in 2021 exceeded US$32bn, and is predicted to rise to US$38.5bn by 2027.
Most hackable passwords
Unfortunately, many internet users are making life easier for the bad guys. According to a 3TB database of passwords spilled in security incidents, the most popular across 30 countries was “password,” with nearly five million hits. Second came “123456” followed by the slightly longer “123456789.” Rounding out the top five were “guest” and “qwerty.” Most of those log-ins can be cracked in less than a second.
You can browse through the whole list on NordPass’s website, but here are the 20 that topped the list this year.
The world’s 20 most common passwords in 2022 (source: NordPass)
Aside from these most basic of passwords, researchers see similar patterns emerging every year. Particular all-time favorites include:
- Sports teams: e.g., football team “Red Star Belgrade,” which had a count of over 58.5 million.
- Fashion brands: e.g, “tiffany,” which was used nearly 14.8 million times.
- Swear words: The most popular of which was f*ck, used over 21 million times.
- Musical artists: Topped by U2, with over 33 million hits.
- Movies: The most popular was “leon” with 6.4 million passwords.
- Cars: Over eight million users had “mini” as their password.
- Video games: The most popular in 2022 was “arma” with over 6.2 million users.
- Food: Almost 8.6 million passwords used the word “fish.”
Even worse: if we reuse these passwords, write them down in plain sight or share them with others, it will make life even easier for would-be hackers and fraudsters. And if we use the same passwords at work as in our personal lives, we might even be exposing our employer to possible cyber-risk. That might have even more serious repercussions if hackers are able to steal corporate data as a result.
How to get password security right
Fortunately, password security is one of the easiest things we can get right – with some instant benefits for our digital lives. Consider the following tips to help protect your personal and financial information:
- Always use complex and unique passwords or passphrases – that way, it will be harder for hackers to crack them or perform credential stuffing. This video will put you on the right track:
- Never reuse passwords or credential stuffers may be able to open multiple accounts if they get hold of a single login.
- Don’t share your passwords as others could misuse them, even if unwittingly.
- Close any unused accounts because these may represent a security risk if you haven’t noticed they’ve been breached.
- Use a password manager and consider using it also a password generator. The password vault will automatically suggest and store any long, strong and unique passwords. And it will log you in on any relevant site – all you need is the master password for the tool.
- Check password strength regularly and update any that are too weak or out of date.
- Add multi-factor authentication (MFA) where possible – most accounts now have an option to do so. It adds an extra layer of security to passwords by requiring another “factor” for authentication, such as a face or fingerprint scan, or a one-time passcode
- Don’t log-in on public Wi-Fi as digital eavesdroppers on the same network may be able to snoop on your passwords.
- Use security solutions from a reputable company to guard against info-stealers and other malware, as well as against phishing attacks and other threats.
- Beware shoulder surfers when out and about. Consider using a screen protector for your laptop.
- Don’t click on suspicious links in unsolicited emails and texts. If in doubt, contact the sender directly, not by returning the message but by Googling their contact details.
- Only log into sites using HTTPS as these are secured and therefore offer extra protection from attacks that can intercept your login details.
- Sign up for a service that checks if your password has been caught up in a data breach.
You might have many New Year’s resolutions heading into 2023. But if your own passwords appear on the list above, improving your password security will be one of the most important of them.
by Phil Muncaster, ESET