Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Size Matters! (When It Comes to Passwords)

The results are in for last year's most common passwords. The implications are depressing.
Evolution of passwords.
(Image: ChatGPT)

Take any password you think is strong and make it stronger.

Seriously. There’s a good chance that what you think is strong isn’t, or it won’t be in the near future.

Unfortunately, many people do the exact opposite, opting for some of the worst passwords you can think of. Don’t do that.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Make passwords stronger

  • Regular reports of the most popular passwords remain very disheartening.
  • Length trumps everything.
  • Long passwords don’t have to be hard.
  • Password managers make long, strong passwords easy to deal with.
  • Take the time to replace your weak passwords.

And the most popular password is…

According to NordPass’s Top 200 Most Common Passwords, the top five include:

  1. 123456
  2. 123456789
  3. 12345678
  4. password
  5. qwerty123

The rest of the list is more diverse but just as obvious, including passwords like “iloveyou”, “qwerty”, “charlie”, “donald”, and many more horrific choices.

Not only are they simple, easy to guess, and clearly on the list of the very first passwords hackers try, but they also suffer from the greatest sin of all, in my opinion.

They’re short.

Length matters most

When it comes to passwords, length trumps everything. For example, let’s take that #1 offender above.

123456

A six-character password. Ugh. But adding a simple pattern to turn it into a 20-character password makes it a pretty reasonable choice.

****** 123456 ******

All I did was add six asterisks before and after, separated by a space on each side. And yes, as simple as that pattern appears to be, it’s a strong password. Much stronger than 123456 and just as easy to remember. (Caveat: it’s a weaker password because I just published it here as an example. Don’t use this exact password; use it as an example of a simple technique to lengthen otherwise poor passwords.)

Today, your goal should be 12 characters at a bare minimum, but preferably something like 16 or more. Using a password manager makes it trivial to use lengthy passwords. Personally, I’ve standardized on 20 character passwords.

Again, length trumps everything.

Long doesn’t have to mean hard

I’ll admit that throwing asterisks before and after a password doesn’t feel secure, even though it is. It just doesn’t feel like we did enough work. (Smile)

But to build on perhaps the most quoted XKCD comic of all time — Correct Horse Battery Staple1 — combining unrelated words can be both strong and memorable.

I recently set up an account for a friend and did exactly that. When it came time to generate a password, I looked around my desk, picked three random items I saw, combined them with a fourth item this friend and I had in common, and — poof — a password that was long, strong, and easy to remember.

Here’s a different example using that technique.

SpeakerCoffeeMixerFacebook

That’s a 26-character password. If you need special characters, add spaces, or an exclamation point in what, for you, might be a “standard” location, like at the end or after the first word.

Password managers make it even easier

As easy as that password is to create, and as memorable as it may be, if you have a lot of different passwords (and who doesn’t), it can be difficult to keep ’em all straight. Enter the password manager, which remembers them for you. That way, you only have to remember one password of the long and memorable variety, and the password manager does the rest.

Because I use a password manager (1Password), I don’t bother combining words for most of my passwords. I go all-in and let the secure password generator do the trick. For example, most of my passwords look like this:

xMpba3HxDFvKk73mrAfA

That’s 20 characters of completely random alpha-numeric data. If I need a special character, I’ll throw one in somewhere, making it a 21-character password.

I can’t tell you any of my passwords except the one to my password vault.

Do this

I talk about passwords and password strength a lot because, like it or not, passwords will continue to be an important part of your online and account security for some time. Passkeys will eventually replace them, but that’s going to take a long time. Even when you use two-factor authentication — as you should, if it’s offered — you’re still relying on the strength of your password as your first line of defense.

Review your passwords and replace short ones with something longer and more secure. At least 12, but preferably more like 16 characters or longer.

And if you’re using anything on this list, don’t delay a moment longer. Go change that password now.

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Footnotes & References

1: Which I did not have to look up — it’s that memorable.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.