Maybe you’re thinking – there’s nothing wrong with passwords, it’s the lack of education that causes problems. However, the lack of knowledge may not be the problem after all.

People hate password rules

Computer passwords were invented back in the ‘60s. The inventor himself, Fernando Corbato, calls them ‘a nightmare,’ and adds: ‘I don’t think anybody can possibly remember all the passwords that are issued or set up.’

Research shows that internet users are well-aware of the so-called password hygiene but do nothing to change their habits. People are informed that, for example, ‘123456’ is the easiest prey for all sorts of nefarious parties, but in 2017 it topped the list of the most popular passwords.

It gets worse. Only 55% users would update their password if that account had been hacked. Besides, users tend to frequently reuse passwords on multiple sites.

One may assume that users know what’s right, but they hate password rules. Moreover, knowing them in advance actually helps attackers.

On the other hand, most services don’t encourage their users to get funky. For example, they allow the use of weak passwords, instead of keeping them out of their systems.

Other services try too hard. There’s even the ‘blacklist’ of companies which have idiotic password rules. Do they actually think these rules work and encourage users to be proactive when it comes to their cybersecurity? I’d strongly doubt that.

Crackers love passwords

Every time you choose a password from the list of the most popular (and weak) passwords, there’s a snooper somewhere thanking you for this faulty action. Since good ol’ brute force attacks usually do the deed – they are enough to find most people’s passwords.

Passwords are valuable. Hackers can get much more out of a breach if the system (or service, or app) ‘thinks’ they belong there: if they have your password, chances are, they can get more of your personal information.

Snoopers find cracks and flaws in services and use them to steal your passwords. Like the very recent Facebook hack scandal is the biggest security breach in its history, with over 50 million victims. The attackers exploited 3 separate vulnerabilities in Facebook’s code.

And that’s not all. The password crackers have been getting more sophisticated day by day – ‘hashcat’  is only one example.

Did you know, that even if you use a VPN, but login with password1234, your account can be breached? I know, you hate password rules, but just to remind you, what Surfshark’s technologists recommend:

  • Get creative. Since most modern password crackers can use dictionary words and permutate them, a much better solution would be to use password phrases, i.e., separate words with spaces or punctuation symbols
  • 2FA is a good choice, but try selecting other options than SMS
  • Use a password manager. Instead of remembering tons of different difficult passwords, remember the ‘master’ one for the manager and let it retain the rest
  • Pay extra attention to your accounts which hold sensitive information (like bank credentials, personal photos, etc.)

Other passwords you should NOT use:

Password, 1234567, qwerty, 1234, 12345678, letmein, 123456, football, iloveyou, admin, welcome, monkey, login, abc123, starwars, 123123, dragon, passw0rd, master, hello, freedom, whatever, qazwsx, trustno1. These passwords are in the database, they are the first choice of every cyber attack.

Are passwords going away soon?

We’ve been using passwords since the dawn of the internet. Hence, it may be difficult to get used to the alternatives.

Security experts have been arguing whether we should still be using passwords and have been developing possible alternatives. Due to the reasons mentioned above, around 86% of passwords are terrible. On top of that, if a device is infected with malware, passwords, despite their complexity, don’t matter.

So far there are not too many password alternatives which hold promise, and the existing ones are either too costly to implement for universal use or not user-friendly.

As of now, some experts favor biometrics (fingerprints, iris scans, facial recognition). Biometrics don’t require users to remember tons of passwords (which we all hate) or carry physical tokens. On the other hand, once your biometrics get hacked or stolen, they can’t be easily changed.

For instance, pictures from users’ Facebook profiles can be used to crack facial recognition; or images taken with standard digital cameras can be used to hack fingerprint.

Microsoft recently announced the company’s moving away from passwords. Around 800 million people now can use hardware authentication keys, and no password at all, to log on to Microsoft accounts used for Outlook, Office 365, OneDrive, Skype and Xbox Live.

In conclusion, as insecure as passwords are, they are not going away very soon. Until we find methods to entirely secure authentication, our personal information is vulnerable to all kinds of breaches. The best we can do is honestly follow at least the basic passwords rules. Also, if possible, don’t spread your sensitive information to all directions on the internet.

This article was originally published: October 26, 2018

Updated: November 22, 2018

What is your opinion on passwords – what method do you think would most likely take over their place?