You may think that having a strong, secure password for your online accounts is obvious, but not everyone follows cybersecurity guidelines when it comes to creating passwords. Every year, research firms collect data on the most commonly used passwords. And year after year the data show that, in general, people are using the same weak, easy-to-crack passwords. To make matters worse, 45% of people do not consider password reuse to be a serious problem (InfoSecurity Magazine, 2020).
Findings from this year continue to be released and sadly it’s the same story! In fact, “51% of people use the same passwords for both work and personal accounts“(DataProt, 2022).
Here you can see the top 10 most commonly used passwords in the United States in 2021. Researchers also calculate how long each password takes to crack. All of these can be cracked in less than a second.
| Rank | Password |
| 1 | 123456 |
| 2 | password |
| 3 | 12345 |
| 4 | 123456789 |
| 5 | password1 |
| 6 | abc123 |
| 7 | 12345678 |
| 8 | qwerty |
| 9 | 1111 |
| 10 | 1234567 |
Why is this important?
Because poor password hygiene habits make it easier for criminals to commit cybercrimes, leaving residents, employees, and yourself at risk.
- Most data breaches involve the use, or misuse of weak, stolen, or default passwords.
- In recent years there has been an increase in cyberattack methods called ‘credential phishing and credential stuffing’. This is when criminals trick people, using in a phishing email, into revealing their account log in information. These log in credentials are often sold to other criminals who use special software to try thousands of “matches” at a time; cross-referencing the stolen usernames, login IDs, and passwords that work on one website with other websites. When they find a match—meaning the victim’s username and password from site A are the same ones they use on site B—criminals can use that information to steal money and more identifying information.
- This strategy works because the vast majority of people—up to 83% according to recent research—use the same password for more than one account. This is a hacker’s dream scenario. All they need is one password and they can access all of that person’s accounts. If we continue to use the same login and password for multiple sites, credential stuffing will continue to be an issue.
What can you do?
- Use the longest password or passphrase allowable by each password system. Every character you add makes your password that much more difficult to crack. Many computers now have password generators that can help you come up with complex passwords, and store them safely.
- Always use different strong and secure passwords for different accounts and devices so that if attackers do guess or steal one password, they will not have access to all of your accounts.
- Don’t use personal information (e.g., pet’s names, birthdates, anniversaries), dictionary words, or system defaults as your password. They are way too easy for criminals to crack.
- Sharing too much information on social media can allow attackers to guess passwords (if they have been based on personal information) or extract a company’s confidential information through posts by employees.
- Use a password manager to keep all of your long, complex passwords secure.
Are your teams prepared for a cyber attack?
Passwords are the first line of defense against cybercriminals who are trying to steal your personally identifiable information. The strong and secure your passwords are, the more protected you’ll be. To learn about this and other ways to avoid being the victim of online crime, learn about Grace Hill’s cybersecurity training series and policy management solutions.
