When people create an online account requiring a username and password, many choose one of the most common passwords because they are easy to remember. The password may include a memorable string of keyboard characters (i.e., “qwerty”), a person´s name (i.e., “ashley”), the name of a device they are using (i.e., “samsung”), or some other phrase that means something to them (i.e., “letmein”).
The problem with choosing a password that is easy to remember is that it is easy to crack using a brute force algorithm. It is also the case that the more common the password, the quicker it is to crack because cybercriminals program brute force algorithms to look for the most common passwords first. But how do cybercriminals know which are the most common passwords?
In 2019, a database of email addresses and passwords known as Collection #1 was published on the dark web. The database contained 773 million exposed addresses and passwords from over two thousand data breaches from which security experts were able to compile lists of the most common passwords. Subsequent password dumps (Collections #2 to #5) are still being analyzed.
How to Tell If You Are Using a Common Password
The lists of the most common passwords have been added to the Have I Been Pwned database in a new section called “Pwned Passwords”. You can visit the site, enter your password, and find out how many times the password has been exposed in a data breach. Using this source of information, we can tell that the four passwords mentioned in the introduction are particularly bad choices:
- “qwerty” appears almost 4 million times in the database due to millions of people using this string of keyboard characters as a password.
- “ashley” appears 444,354 times in the database – not because it is a popular name, but because the list includes exposed passwords from the Ashley Madison data breach.
- “samsung” is the most popular technology provider that appears on the list – mentioned 325,915 times – while the “letmein” password appears a relatively modest 221,976 times.
When using this source to find out if you are using a common password to protect an online account, please be aware that if your password appears it doesn´t necessarily mean your online account has been compromised. Cybercriminals will still need to know your username to access your online account. Nonetheless, it may still be a good idea to change your password to something more complex.
How to Avoid Using the Most Common Passwords
There are several ways in which you can avoid using the most common passwords. You could try every possible combination on the Pwned Passwords database until you find one that has never been exposed, or you could use a password generator to create a complex password consisting of letters, numbers, and special characters. Some sites now also allow you to use emojis in passwords.
While the first option is going to be time consuming, the second is likely to result in a password that is not easy to remember. Consequently, it is a good idea to use a password manager to remember the password and autofill login credentials when you visit an online account. There are many types of password manager available, so we have compiled a guide to password managers which includes links to further help about choosing the best password manager for your needs.