After years of security breaches at the companies we trust with our data and zero-day security exploits against the back-end systems those companies use, you might expect that we’ve gotten better at picking passwords for our financial, shopping, email, and gaming sites, right?
Researchers go through the stolen user databases and compile lists of the most common passwords every year. One of the best lists this year comes from the company behind NordPass, a company that makes, you guessed it, a password manager. The NordPass bad password site lists the top passwords, the number of times the password appeared, and an estimate of how long it would take for the bad guys to crack it.
You can check out the list at https://nordpass.com/most-common-passwords-list/
Here are the top twenty passwords for 2021: #1-123456 #2-123456789 #3-12345 #4-qwerty #5-password #6-12345678 #7-111111 #8-123123 #9-1234567890 #10-1234567 #11-qwerty123 #12-000000 #13-1q2w3e #14-aa12345678 #15-abc123 #16-password1 #17-1234 #18-qwertyuiop #19-123321 and #20-password123.
When criminals steal a database of email addresses and passwords, they usually sell the database to more-specialized thieves that try to use the information.
If spammers buy the database, they’ll try to impersonate people using the stolen email address and password to send out spam. If phishers buy the database, they might send phishing emails out to the email addresses in the database, or they might use the stolen credentials to send out phishing emails that look like they came from the stolen users. They’ll probably do both.
Other thieves might use a database of email credentials from one site and try them on other sites. So, for example, if an email address and password came from a database stolen from Target, the thieves might try to use the credentials at other shopping or banking sites, which is why we don’t want you to use the same password everywhere.
Even if you use long, complicated passwords and have different passwords for every site you visit, these data breaches happen at a corporate level. That means no one is hacking your computer to get your passwords. Instead, they’re stealing them from the companies that store your information.
Here are the levels of password security:
Level 0: Choose your password
Level 1: Use a password manager to generate random passwords for your sites
Level 2: Use two-factor authentication (2FA.) 2FA means getting either an email or a text containing a security code for the site you’re visiting. Two factors refer to 1) something you know, your password, and 2) something you have, a security code. The security code changes each time you visit the site.
Level 3: Use an authenticator app instead of email or SMS-based 2FA. Authy, Google Authenticator, and Microsoft Authenticator are examples of authenticator apps. Technically, authenticator apps are still 2FA, but using an app makes them more convenient.
Level 4: Use a security key or use an authenticator app that uses a security key. Security keys are physical devices that plug into your computer and store the security information about you and the site you’re connecting to. Security keys use the FIDO U2F standard jointly developed by Yubikey and Google. For example, journalists and high-end corporate and government employees may need to use security keys online.
For most people, a password manager provides the best level of password security. But even then, when you find out about a data breach, see if you have an account there, and if you do, use your password manager to change that password.
Am not. Are too!
My wife wanted to talk about how childish I am, but she didn’t have the secret password to my pillow fort, so she couldn’t get in
Do you have a computer or technology question? Greg Cunningham has been providing Tehachapi with on-site PC and network services since 2007. Email Greg at email@example.com.