Avoid Creating Weak Passwords

You have likely heard that using strong passwords is an integral part of protecting a company's data. But do you know what makes a password strong or weak? To find out, here is a quick quiz:

Take a look at the list of passwords below. (The quotes are not part of the passwords.) Which of the following are strong passwords?

  • "football"
  • "123456"
  • "qwertyuiop"
  • "passw0rd"
  • "1qaz2ws"

The answer is none of them. In fact, all these passwords were on SplashData's "Worst Passwords of 2015" list. Knowing why these passwords are weak can help you avoid making the same mistakes when you create your own passwords.

"football" (No. 7 on the Worst Passwords List)

The password "football" is weak on several fronts. First, it includes only lowercase letters instead of a mix of uppercase and lowercase letters. Further, it is a word that you can find in a dictionary. Cybercriminals often use software that systematically tries every word in a dictionary as a password. This is known as a dictionary attack.

Besides not using words in the dictionary as passwords, you should not use proper nouns or foreign words. You should also steer clear of creating passwords that incorporate business or personal information. For example, do not use a password based on when and where you started your business, or an activity you enjoy. It is easy for cybercriminals to obtain business and personal information on social networks, such as LinkedIn and Facebook.

"123456" (No. 1 on the Worst Passwords List)

What is wrong with using a password like "123456"? To begin, it is too short. The shorter the password, the easier it is to crack. More important, it incorrectly uses numbers. Passwords should contain numbers but not in obvious strings (e.g., "7777777"). Cybercriminals often try entering strings of numbers before launching the more time-consuming dictionary attacks.

"qwertyuiop" (No. 22 on the Worst Passwords List)

While the length of "qwertyuiop" is adequate (10 characters long), this password does not include any numbers or uppercase letters. What is worse is that this password is common, as it is the top row of letters on a computer keyboard. Cybercriminals know which passwords are popular, so they will try them first.

"passw0rd" (No. 24 on the Worst Passwords List)

This password contains both letters and a number, which is good. However, it does not contain any uppercase letters and it is commonly used. It is not as popular as "password", though, which is No. 2 on the worst passwords list.

"1qaz2wsx" (No. 15 on the Worst Passwords List)

At first, "1qaz2wsx" might look like it is a strong password, but it is not. Besides containing only lowercase letters, it is a well-known password among cybercriminals. On a computer keyboard, it is the first two columns of keys containing numbers and letters.

Guidelines for Creating Strong Passwords

When creating a password, follow these guidelines:

  • Think of a long, random password that is hard to guess. At the minimum, the length should be eight characters — the longer, the better.
  • Use numbers but not in a predictable pattern.
  • Use uppercase and lowercase letters.
  • Use special characters (e.g., percent sign, exclamation point, dollar sign) when possible.

An example of a strong password is "8%&KY4&$XzwMhfrk". On an average computer, it would take a cybercriminal more than 10,000 centuries to crack this password using a brute-force password-cracking tool, according to Kaspersky Lab. These tools try every possible character combination as a password. Even on the world's fastest supercomputer, Tianhe-2, it would take a cybercriminal a year to crack "8%&KY4&$XzwMhfrk". In contrast, it would take a cybercriminal one second to crack "passw0rd", "qwertyuiop", "football", and "123456" on a home computer. Cracking "1qaz2wsx" would take 33 seconds.

As part of a security assessment, your IT service provider can help you determine whether your organization's passwords are adequate. If you are having trouble creating strong passwords, ask your IT service provider to recommend a password manager that you can use. Password managers automatically create strong passwords and securely store them for you.