Guide | How To Password mistakes that increase the chance of getting hacked

The associated guide may contain user-generated or external content.

Venustus

Level 59
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Selecting a secure, unique password is not science, but it can be a frustrating experience for Internet users especially if they don't use a password manager program to assist them in the task.

To make matters worse, there is no clear definition of when a password is considered safe (from brute force or guessing attempts) which means it is up to you to select a minimum character length and character set for your passwords.

Weak passwords are included in every password dictionary list, and good brute force applications take variations into account as well.

The list of "worst passwords of 2015" and "worst passwords of 2014" did not change all that much, and weak passwords like 123456 or password are still found at the top of the list after years of tech sites hammering it into people's brains that these passwords are bad.

There is no excuse for making these password mistakes. All modern browsers support the saving of passwords so that you don't need to remember them, and passwords manager are available in abundance for all devices you can possibly run.

I'm using KeePass for all things passwords, but there are many alternatives out there like LastPass or Sticky Password that you can make use of.

Short and common-word passwords are easy to remember, and that is likely the main reason why they are used by many Internet users.

Even if your password is not on the list of bad passwords of 2015 or previous years, you are not necessarily safe as brute force dictionaries include lists of thousands of passwords that are commonly used.
Passwords that are sequences on the computer keyboard are used often as you only have to look at the keyboard to remember them.

You can be certain that all obvious sequences, as well as repeat sequences, are used by crackers and hackers in brute force attacks.

Not only are the majority found high on "weak passwords" lists, anyone with a keyboard can spot these sequences easily as well.

This includes pattern passwords on mobile devices as well as they follow the same rules.

Examples are 123456, qwerty, 1234567890 or asdfasdf.

Any word that is found in a dictionary is a bad choice for a password, even the ones that are not used a lot in modern days.

The reason is simple: It is easy enough to use a dictionary, say English words, in a brute force attack. Simply run through all words of the dictionary, or the most x-common ones. It takes no time and effort to create these attack list.

Examples are password, private, football, or princess.

Any password that substitutes letters with characters

Some users like to substitute letters with characters to improve password security which is another password mistake. They replace I with 1, O with 0, or e with 3 in hope that it improves the strength of the password.

Since these substitutes are known, or easily identified, it is not improving the strength of the password by much.

Many brute force programs ship with options to use password variations, e.g. substitutions or adding characters like 1 or ! to the end of the password to test these variations as well.

Examples are f00tb@ll, pr1ncess or pa$$word.

Short passwords

This one is obvious. Short passwords are easier to crack as computers have become powerful enough to run attacks quickly on passwords below a certain length. There are simply not enough variations available to make short passwords secure even if special characters are used.

Examples are short, ice or pass.

Pop Culture

Pop culture passwords are popular which is why they are included when it comes to password mistakes. They may include a favorite sports team, your favorite singer or band, or a popular movie character among other things.

It is no coincidence that Solo and Star Wars made the Top 25 worst passwords of 2015 list.

Examples are Broncos, Eminem or DanielCraig.

Keeping default passwords

Hardware and software may ship with default passwords. The router or modem is a prime example, and you often see admin/admin, root/blank or admin/password as the default usernames and passwords for access.

Not changing these immediately can have severe consequences as default passwords are public knowledge as well.

Instead of having to brute force the device or account, an attacker could try default passwords first to see if they have not been changed by the user or admin.

Passwords that exceed a certain length are secure which means that a password likeGNLxypVVoCZDfAvSpiZZuluFySJUCuXe is generally considered secure.

You can increase the complexity of a password by adding numbers, e.g. GVdEwjaTc5N9c1z7khbpSl097xMMcwo3and/or special characters to it like ZoXhEi"C6G"Op6s_oMxHhrf`t/+6-3UU.

Doing so forces the attacker to include all characters in the attack and not only letters (52 if you consider upper and lower case). And if they don't, they will never crack the password using brute force attacks even if they have access to the most powerful machine in the world.

Personal passwords

You may not want to choose passwords that can be linked to you. This includes your license plate or social security number, name of your boyfriend, your favorite football team or the name of your dog or cat.

Social engineering may come into play to get these passwords. It may be as easy as looking at photos that you have published on Facebook (showing your brand new car and its license plate).

Source>>With pictures
 

Rishi

Level 19
Verified
Honorary Member
Top Poster
Well-known
Dec 3, 2015
938
It's better to use a complex password(minimum 8) with the alpha-numerics and special symbols included to make it the hardest for any kind of bruteforcing/dictionary attacks, best using a password generator which is included in so many daily utilities and saving them preferably in an offline encrypted data vault/manager(AES-256) and changing them as often as possible.

Another approach can be using password cards(thanks to @Huracan for the suggestion)
 

frogboy

In memoriam 1961-2018
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
I use at least 14 digits these days, back in early days my passwords were very weak. I must admit to not changing them very often though. My bad. :D
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Same issue circulated every year, use random generator to solve it if you are having difficulties to create unique passwords.

Password Managers are definitely useful nowadays unlike write on a piece of paper that can be tear; misplace and damage it.
 
  • Like
Reactions: scot and frogboy

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top