A few weeks ago, the team at security.org put together a report titled “America’s Password Habits 2020”.   They asked 750 Americans about their password strategies and other security habits, and the results were, well…discouraging.  (That is, if you aren’t a hacker by trade.  In which case the results would be thrilling.)

Where we store our passwords

In terms of security habits, more of those surveyed in the study said they relied on memory when it came to storing passwords.  Finishing at a strong 2nd, people admitted to writing their passwords down in a physical notebook. (I will confess to having done this in the past as well.  I think sometimes “old school” ways just feel so comfortably uncomplicated.  And safer – even if that may not necessarily be true.)

Experts have long said that password manager apps are vital to making computer and network credentials more secure. But while respondents seemed to agree that password managers are the best method, few said they actually use one.  In fact, only a mere 12% of that group do.

And yes, the good old-fashioned sticky-note-on-the-monitor method actually made the list:

How we choose our passwords

When it comes to selecting passwords, we don’t fare much better in our security habits.   A full 45% of those surveyed had passwords that were 8 characters or fewer.  In fact, 16% had  passwords of 7 characters or fewer.  According to security.org’s password strength checker, the most popular password of “123456” would be cracked instantly by a computer.  (I simply can’t believe anyone at all uses that as a password, yet again, it was the MOST popular password in this group!)  Even a more complex  6-character password containing a random mix of symbols, numbers and letters would only take a computer 17 seconds to crack.

Common choices such as children, pet and spouse names, birthdates, graduation dates, school names and users’ own first or last names still make their way into people’s passwords.    Current events also continue to dominate: COVID, Trump, Biden were common inclusions in this year’s password choices in the United States.  Interestingly, the most common passwords of 2020 included curse words.   (Yes, it’s been quite a year. Believe me, I get it. But the problem is, so do the *&%$#@^ hackers.)

The 6 habits of highly ineffective passwords

So here we go. Since so many of us are doing it all wrong, it’s time to break some of these bad password habits:

1)  Password is too short. When it comes to overcoming automated password-cracking techniques, longer is better. And much longer is much better.  The pros tell us that 8 characters should be the absolute minimum length.

2)  Password is too simple. A password needs to be complex enough that it can’t be easily guessed.  “Password”, “12345”, “QWERTY”, “admin”, and “secret”? A huge NO.  Hackers figured these common ones out ages ago and continue to find success simply by guessing them. It’s time to use your imagination. Be creative.

3)  Password is too obvious. Due to the many personal information breaches over the last few years, hackers already have lists and lists of people’s personal information. Not to mention the more public information they can glean from social media or other parts of the internet. Names, street addresses, spouse’s names, birthdates, high school and college graduation dates. You want to make their job harder by avoiding these easily found names, dates and places.

4)  Password is too topical. It is a bad habit to use words or expressions that reflect current events.  Case in point: Donald Trump’s Twitter was hacked recently by a Dutch researcher who correctly guessed his password was “MAGA2020!”.   So things like “CovidSucks” or “2020isTerrible” might not be the best choices.  (Unless you can find ways to make them more complicated by mixing in unrelated characters, numbers or words.)

5)  Sharing our passwords. I mean, does the problem with this one really need to be spelled out? Nonetheless, we’ve probably all been guilty of doing this at one time or other. I certainly have. Your colleague needs access to information at work for an urgent task. You are the only one with the password and you are out of the office for the next few hours. Well… I guess it can’t hurt this one time. And while it usually doesn’t, security experts stress that password-sharing at ANY level is a terrible habit to get into. After all, all it takes is for one “loose” password to make the rounds, and by definition it is no longer private.   If you have to share a password because of an urgent situation, be sure to change it as soon as possible afterward.

6)  Relying solely on memory. Some of us may wish to believe otherwise, but we are all only human. We are fallible. The vast majority of us do not have photographic memories. So if nearly 37% of us are using memory as our method of password-keeping, that means we are also having to come up with ways to ease that burden: We re-use the exact same passwords for multiple accounts, or use some sort of pattern for passwords (e.g., dogsname1, dogsname2, dogsname3, and so on). Either of those choices makes it much easier for attackers to use one stolen password to gain access to multiple accounts and increase damage exponentially.

Play the game

In the end, the password game is a strategic one:  You need to devise the best way to keep the bad guys from figuring it out.   Not only come up with something quirky and relatively complicated for each and every password, but also a secure way to remember them (or better yet, have them remembered for you).  Ultimately, a strong, unique password — or even better, a meaningless but memorable passphrase — coupled with a password manager and an additional security method, like two-factor authentication (2FA)  is your best bet.  So let’s get going:   Vow to break those bad password habits starting today!