Tired of coming up with the “right” passwords for your online accounts? If so, you’re in good company: Millions of people would rather shovel snow, get stuck in a traffic jam, or deal with a flight delay than reset their passwords.
Still, you’ll want to pay very close attention to why some of the most common passwords – are also the most dangerous ones to use.
Read on to learn how to keep your online identity safe.
Why Using Common Passwords is Risky
Explaining the concept of common passwords
Yes, we humans are creatures of habit. When faced with time constraints and decision fatigue (experts say the average person makes 35,000+ decisions a day), our ability to make optimal choices diminishes, and we fall back on routine.
But why routine?
The fear of loss (rather than the prospect of gain) drives our most innate behaviors. In our fast-paced world, we fear the loss of time, speed, and ease. Thus, we’re invested in believing our passwords are “good enough” and that there’s minimal risk in using them.
This is why the most popular passwords -- are also the most commonly used passwords.
The implications of using common passwords
People make decisions based on their available experience. If they’ve never been hacked, the prospect of harm stemming from their password habits seems overblown.
So, even though weak passwords are a liability, the time and effort associated with password management feels like a greater loss.
Cybercriminals exploit this complacence to perpetrate increasingly sophisticated hybrid credential attacks worldwide. These hybrid attacks combine dictionary and brute-force techniques to gain access to your personal data. In all, cybercrime costs consumers upwards of $8.8 billion annually.
How Hackers Exploit Common Passwords
Methods used by hackers to guess common passwords
Besides hybrid password attacks, hackers also employ these methods to guess common passwords:
- Social engineering attacks: These techniques exploit human psychology and behavior. According to Christopher Hadnagy’s Social Engineering: The Science of Human Hacking, “the goal of the social engineer is to get you to make a decision without thinking. The more you think, the more likely you are to realize you are being manipulated.”
Hadnagy contends that OSINT (open-source intelligence) is the lifeblood of every social engineering attack. With 4.48 billion indexed websites, hackers can possibly gather enough intelligence about you to crack your passwords (especially if they consist of the most common words).
- Hashcat mask attacks: This type of attack is an advanced version of a brute-force attack. Instead of trying every possible combination of characters, a masked attack uses placeholders to represent suspected known elements of a password.
A common password format is pairing a name with a birth year, such as “matt1986.” That’s four lower-case letters (the mask for lower-case is ?l) and four numbers (the mask for numbers is ?d). So, we’re looking at ?l?l?l?l?d?d?d?d. Hashcat generates all possible combinations matching that mask. Each generated password is then hashed and compared against the target hash.
- Rainbow table attacks: In a rainbow table attack, hackers compare stolen hashes to precomputed ones. For each match, they reconstruct the process that led to the match. This process allows them to uncover the original plaintext passwords associated with the stolen hashes.
- Rule-based attacks: In a rule-based attack, hackers use rule sets to guess passwords. First, they compile a wordlist. Then, they use a specialized tool like Hashcat to apply rule sets (transformation rules) to base words. For example, a rule may have to do with symbol substitution or replacing letters with similar-looking symbols, such as transforming “password” into “pa$$w0rd.”
Real-life examples of data breaches due to weak passwords
Three major password-related breaches occurred by mid 2024:
- In January, the MOAB saw the release of a monster “combo file” of more than 26 billion records. Many of the records were from previous breaches. A wide range of data, aside from passwords, was included in the file.
- The AT&T breach in March involved 70+ million current and former customers. Compromised information included Social Security numbers, email & mailing addresses, birthdates, and passcodes. Hackers were able to extort affected customers, obtaining payments amounting to 36 bitcoins (worth $2.5 million at the time). Meanwhile, a second breach in July affected nearly all AT&T customers.
- RockYou2024 is currently the world’s largest password-related breach at nearly 10 billion passwords compromised. Overall, the massive compilation constitutes breach data spanning two decades.
Cybercriminals rely on leaked passwords to carry out credential stuffing attacks, such as the one against Snowflake, which resulted in breaches at organizations using the platform (AT&T, Ticketmaster, and more than 150 other corporations).
Best Practices for Creating Strong Passwords
The #1 tip for creating unique, complex passwords
With the explosion of Big Data environments, the resulting cognitive overload has led to rising levels of worry, tension, and anxiety across the world.
This authentication fatigue fuels password reuse and in turn, account takeovers: in a recent Forbes Advisor study, 30% of respondents believe their accounts were compromised due to using the same credentials across multiple platforms.
Creating unique, complex passwords need not become a cognitive burden. You can create strong passwords easily and quickly with our password generator.
According to the same study, 75% of respondents have had personal data stolen from hacked accounts, but only 18% use generated passwords.
Our free password generator can easily create complex, unpredictable passwords that are extremely difficult for attackers to guess – and it takes only a few minutes to use.
Two-factor authentication and its role in password security
Two-factor or multi-factor authentication adds an extra layer of security by requiring another factor for authentication. So, even if an attacker manages to obtain your password, they can’t access your accounts without the second factor.
Educating Others About the Risks
How to raise awareness about common password dangers
One way to raise awareness about common password dangers is through security awareness training:
- Organizations with consistent awareness training programs enjoy a 70% reduction in security-related risks.
- Investment in these programs results in 3X ROI for the organizations.
If you’re interested in learning more about password or cybersecurity best practices, check out CISA’s free cybersecurity awareness program.
Teaching children and seniors about password security
Young children are increasing their digital footprint as we head into 2030:
- 24% now own smartphones, while 76% use tablets regularly.
- They’re on WhatsApp (37%), TikTok (30%), and Instagram (22%).
- 48% even have personal profiles on YouTube.
Our youngest users are also chatting on Skype and sharing pictures on Facebook. Their older teen siblings are equally engaged, with many admitting they’re on Snapchat, YouTube, and TikTok almost constantly.
With families increasingly separated by physical distance, social media and video call platforms have become indispensable in strengthening generational bonds.
Yet, this increased activity -- coupled with the use of weak passwords -- is putting everyone at risk for credential-based attacks, scams, and identity theft. Using age-appropriate tools to teach children, teens, and seniors about password security is critical to their digital safety.
During a 2022 EU research project, researchers successfully used playful techniques to raise awareness about online security among young children. Using role-playing exercises and online tools to test the strength of different passwords can also be particularly effective when educating young children and teens.
Meanwhile, older adults may benefit from free cyber safety courses they can complete on their own time.
Staying Secure With LastPass
Introducing LastPass as a password management solution
A robust password manager is your best bet against credential-based attacks.
At LastPass, our password vaults are protected by AES-CBC-256 encryption. We also announced in May 2024 that we’ll be encrypting URLs in all password vaults. This ensures that every URL related to sensitive accounts such as banking, ecommerce, and health are inaccessible to prying eyes.
Our vaults are also Zero Knowledge, which means no one at LastPass can access their contents.
How LastPass helps protect against common password vulnerabilities
Here’s what LastPass can do to keep your passwords safe:
- Strong Password Generation: Create long, unique passwords with our Password Generator.
- Secure Storage: Keep your credentials safe in a digital vault that can only be accessed by you.
- Autofill Capability: Use autofill to prevent password fatigue. LastPass will fill in your login info automatically and securely when site URLs match those stored in your vault.
- Dark Web Monitoring: Protect yourself from hacked accounts with LastPass Dark Web monitoring. If your passwords become compromised, you’ll receive an alert to change them.
- URL Encryption: Enable URL encryption to store every URL in your vault in an encrypted state.
Protect your online identity – start your free LastPass Premium trial today.
