New analysis of one billion leaked credentials reveals that most people reuse weak passwords

nanoguy

Posts: 528   +7
Staff member
Why it matters: Companies like Google, Microsoft, and even non-profits like the National Cyber Security Alliance all want to kill the password in the near future. In the meantime, passwords remain the most used tool for securing online accounts, and people aren't getting any better at choosing adequate ones that would make life more difficult for hackers.

Every year we find that more and more people are picking the worst possible passwords to secure their devices and online accounts. Many still insist on using the classic "123456" and "qwerty," or a seemingly unsophisticated combination of the two. Even worse, study after study has shown that many users don't change their passwords even after their credentials are exposed in a data breach.

A new analysis conducted by Turkish student Ata Hakçıl at a university in Cyprus found the same theme of weak passwords being reused. After looking at large data dumps of username and password combinations that have been leaked over the last decade in various data breaches, Hakçıl noted that one out of every 142 passwords was "123456."

Image: Randal Munroe | XKCD.com

Despite the efforts of security researchers and online services to encourage the use of more complex passwords throughout the years, only 40,000 of the one billion that were analyzed were of the "high entropy" type -- meaning they're more difficult to guess thanks to their length and the use of digits, uppercase characters, and special characters.

Security experts recommend longer passwords as opposed to short, random ones that are difficult to remember. However, the average length of the passwords in the study is a little over nine characters, which is above the eight characters minimum recommended by the National Institute of Standards and Technology but also lower than the FBI's recommended length of at least 15 characters.

Companies like Google are on a mission to stop people from reusing passwords through things like the Security Checkup Dashboard, going as far as to integrate it in Chrome. Apple is adding a similar feature in Safari on macOS Big Sur, and you can always check Troy Hunt's Have I Been Pwned database to see if one of your accounts has been compromised in a recent hack.

Still, powerful hardware and artificial intelligence have made guessing passwords a lot easier in recent years, which is why password managers that can remember much longer passwords for you are so popular nowadays. It also doesn't hurt to use multi-factor authentication.

Permalink to story.

 

m4a4

Posts: 1,878   +1,633
TechSpot Elite
+1 for using that graphic. It's my favourite to use against stupid password rules that are determined by non-logical people.

Otherwise, most people don't have the memory/time to deal with passwords. And then usually having 3 tries to guess a password doesn't help (to then just reset it to a "new" one).

Even with a password manager, I forget passwords, or they don't update, or they don't paste, etc. and it's sometimes just easier to not deal with it...
 
Last edited:
  • Like
Reactions: Ozmiz

Cubi Dorf

Posts: 224   +82
Did they considering what the password are using for? If I am having a password for banking I am having a strong password. If it for something like free spotify account I am not worry about password strength and make it something to remembering easy. if someone is hacking or guessing free spotify then damage is basically nothing.
 
  • Like
Reactions: Ozmiz

Uncle Al

Posts: 7,244   +5,649
I never get tired of hearing how stupid people are when it comes to security of their devices. It makes me very happy that the hackers have a field day with them and leave the rest of us that apply even a modicum of common security sense to our own equipment. For passwords I use a fairly complicated one I can remember and back it up .... on a notebook in the drawer of my desk at home. Both cats have been told there will be a whole tuna bounty for every person they take down, that tries to sneak in and get that bounty. I kind of wish one of them would do it because that damn tuna is taking up nearly all of the deep freeze!
 

stewi0001

Posts: 2,409   +1,914
TechSpot Elite
I've been trying to use longer passwords. There are still a lot of places that require you to use a mix of caps, numbers and special characters.

My only issue with multi-authentication is when something happens to your phone....
 
  • Like
Reactions: barca1au

kiwigraeme

Posts: 44   +15
I never get tired of hearing how stupid people are when it comes to security of their devices. It makes me very happy that the hackers have a field day with them and leave the rest of us that apply even a modicum of common security sense to our own equipment. For passwords I use a fairly complicated one I can remember and back it up .... on a notebook in the drawer of my desk at home. Both cats have been told there will be a whole tuna bounty for every person they take down, that tries to sneak in and get that bounty. I kind of wish one of them would do it because that damn tuna is taking up nearly all of the deep freeze!
Yeah the old bear in the woods - I can run faster than you . Applies a lot in life - rob the neighbours house not yours - rob another tourist who's drunk with bling .

As opposed to the graffiti or broken window principle - fix it quick to stop the rot - this pisses me off mightly about VISA and banks - if they had gone hard early they could of stop 90% of fraud - but 1 to 2% is acceptable !!! - now crims are well established and will try harder to break anything new - then again USofA have persisted with some of the easy to counterfeit money in the world - must keep it green/black on paper as is in the 2nd amendment along with right to wage war
 

p51d007

Posts: 2,448   +1,717
Still think some should make their password "incorrect". That way when they type it in wrong,
it will pop up and say "your password is incorrect". LOL
The machines we sell, default to 123456 as the admin password. When installed, the installer
tells them to change it. It's amazing how many come back 4-5 years later, with 123456 STILL
as their password. Back in the day when they came with a paper users manual, it was wrapped
in plastic. I swear, I could slip a post it not in there with "call this number to claim 50 dollars" and
4-5 years later, I would never get a call asking for the 50 bucks.
End users, sometimes just never learn.
 

kimo1

Posts: 74   +107
It's nice to see everybody blaming "stupid users" and nobody blaming "annoying forced registrations on trash sites just to see that one piece of info". For e.g. username "letmein" with password "letmein", well geeee, I wonder why would anyone use such combination on a trash site, which will most probably sell your email to spam flood service... But it's nice that somebody has already registered with such combination so next new user doesn't have to sacrifice anything.
I'm really tired of seeing these stupid articles about blaming users. And never an article about statistics of details, DETAILS. It's like watching those low intellect memes under r/memes which think they are made by universes wisest lifeforms.
 

Aries Lyon

Posts: 19   +17
The worst password validation I've ever seen was on an app that had a password length requirement of 8-16 characters. Yep, you read that right, there was a maximum length limit of just 16 characters.
 

barca1au

Posts: 9   +3
Mobile phones for verification are a pain unless you have good eyesight, and they are not too complicated to hack or track. I have only come across Google that is happy to send a verbal code to a landline, though there are websites that will use email as verification (until MailChimp goes down). Its all hackable, it really depends on how desperate the hackers are.