Constella Intelligence

Passwords: The Good, The Bad, and The Ugly

What is your password? What pattern do you use when you’re forced to update your password? But actually—please don’t answer that. It doesn’t take a security expert to know that the first rule of passwords is that you don’t talk about passwords—especially when a stranger over the internet is asking about yours. And I hope a few of you cringed at “password,” as in a singular password, and “pattern,” implying the use of a base password and rotating in a few characters to create a new password when prompted.

Let’s dive in to better understand why your personal password policy may not be good enough anymore in today’s world of rampant cybercrime and discuss a few hard rules to follow to keep your digital accounts safe.

What’s wrong with having just one password?

If you’re anything like me, you’ve probably keyed your front door, side door and garage door alike, so that one physical key opens all three doors. For most people, that makes enough sense—no need to inconvenience yourself with multiple keys, and it’s not like you wrote your home address on your key, so if you did lose it, there’s almost no chance anyone would know which lock the key opens, and they can’t exactly walk to every house on the block and test door locks. And so why not apply this same logic to passwords? If someone finds out my password, they don’t know on which sites I have accounts, so it makes no difference, right?

Wrong.

Data breaches are rampant these days, and credential pairs are among the most widely exploited data attribute out there. Credential pairs—a username (email address) and password pair—are like your keys with your home address written on them. With the magic of the Internet and some rudimentary tech skills, a hacker can throw your username and password against hundreds of websites, and in a matter of minutes, figure out exactly where you do have internet accounts and which ones your password unlocks. And worse, if your exposed password gives the hacker access to your email account, they can find out exactly where you do have internet accounts and leverage access to your inbox to click password reset links.

Having one password is not good enough. And don’t even think about tacking on a numeral or symbol onto your standard password and calling it good. What’s the difference between “password”, “p@$$w0rd”, “password1” and “(pass)Word@1957!”? To a computer, a few milliseconds of compute time. As cybercriminals have become more sophisticated, so has their software. Needless to say, hackers have tools that can generate dozens of variations to one of your passwords they found online, including substituting numbers and symbols for letters, incrementing a number at the end, or even alternate spellings. And so, if you thought you were being clever by using “password2022” on one site, and “password2021” on another, and that it would be too cumbersome for a hacker to guess your password, you may be surprised to know that a hacker’s laptop did all the heavy lifting and got into your accounts anyways.

Keon Ramezani headshot

Keon Ramezani

Sales Engineer

Moving Past Conventional Wisdom

Years ago, you may have been required to take security awareness training that encouraged you to include symbols, numbers, and mixed case letters in your passwords for added safety. In fact, most sites today still require you to create passwords that fit the aforementioned criteria. And let’s not forget how it was drilled into our heads not to use pets’ names, birthdays, anniversaries or hobbies and the like as a basis for your passwords. The thinking at the time was that if you were targeted directly, your attacker could use readily available information about your hobbies and interests to significantly improve the odds of guessing your passwords.

Unfortunately, what made sense back then is far less relevant today. Of course, you should still avoid creating a password around your dog’s name or your wedding anniversary—but that is more likely to keep your friend from pranking you than it is to deter a hacker. As technology has progressed and allowed for significant improvements in software automation, hackers don’t have to learn about your hobbies and interests to break into your online accounts. Instead, they’re leveraging your personal data exposed in a breach to access many of your online accounts in a fraction of the time. And thanks to automation, they’re doing this to millions of people at the same time.

Hackers play the numbers game. Long gone are the days that a malicious actor would find your MySpace page, find a picture of your dog, zoom in to see his name on his ID tag; find a picture of you playing soccer, wearing jersey #25, to piece together that your password is “SoccerSpot25”. That’s valuable time spent guessing your password, perhaps only to find out you didn’t save any credit card information on your online accounts, or you don’t have anything they can easily steal. Instead, today, hackers will use software automation to attack thousands of vulnerable people in a few minutes time. Even if the majority of those attacks fail, the hacker still wins. If a hacker automates an attack against 10,000 people and successfully steals $1 from 1% of those people in a few minutes, he’s far better off than spending hours to steal $100 from a single victim.

People know better now, right? ….Right?

What we’ve discussed so far isn’t exactly cutting edge—contemporary password hygiene has made it’s rounds, so you’d expect most people to be onboard, right? Well, let me answer that by saying that up until recently, Mark Zuckerberg—widely known as a technological genius—used “dadada” for his social media passwords.

Let’s take a look at the evidence that shows us that people, in fact, do not seem to know better—or if they do, they’re certainly not concerned. Below are the top 10 most exposed passwords of 2022, as found by Constella.

1. 123456
2. qwerty
3. password
4. iloveyou
5. abc123
6. qwertyuiop
7. Abcd123
8. asdfghjkl
9. qwerty123
10. onedirection

For years, at least half these passwords have topped the list of most commonly used passwords, including sequential numbers, adjacent keys on the keyboard, “iloveyou” and of course, “password”. In 2019, various news outlets reported that among the “most hackable” passwords was “blink182”, named after the Southern California pop-punk band, and urged users to stop using that password. And at least some things change, as that has dropped off our list, but we haven’t abandoned music altogether, as this year’s list is rounded off with “onedirection”, named after another popular music group—which is probably still not a good change.

What passwords should I use?

We’ve talked a lot about what not to do—so what should you do to maintain squeaky clean cybersecurity hygiene?

Never Use the Same Password Twice & Use a Password Manager

We discussed above how easy it is for a hacker to take an exposed credential pair of yours and quickly and easily check to see which sites it unlocks—don’t leave them with that advantage. If you use a unique password for every single site you sign up for, the worst that can come of an exposed password is access to one site. And let it be known, using “password1”, “password2”, “password3”, etc, is not a good way to follow this advice.

It may be difficult to remember which password you used where, but that’s where a password manager comes into play. If set up correctly, password managers can be even easier to use than typing in your quick and simple password. Password managers allow you to use long and complex passwords for every log in, change them regularly, and never forget them. A password manager that has a mobile app can be highly advantageous, as it can leverage the biometric function of your cell phone to secure access to your password vault.

Longer Passwords are Better than Short Passwords with Numbers and Symbols

If you’re a fan of web comics, you might have stumbled upon XKCD #936, which reminds us that a password such as “correct horse battery staple” is much more secure than “Tr0ub4dor&3”, and much easier to remember. We discussed how conventional wisdom around password strength is less relevant today—and this is the example to demonstrate that. While it may take quite a while for a human to guess your password is built around “troubadour” and guess the appropriate numeral and symbol substitutions, it’s something a computer can do lightning fast. And therefore, longer passwords will take much more time for a computer to sequentially guess.

However, keep in mind that many sites’ password requirements are still archaic and only require 8 characters including uppercase, lowercase, numbers and symbols. But fortunately, most of these sites still allow you to create long passwords, as long as you meet their character requirements. While that makes it more challenging for you to set your password to something like “correct horse battery staple”, your password manager will have no challenge remembering a 25-30 character password that contains the requisite uppercase, lowercase, numbers and symbols.

Use Multi-Factor Authentication

While this isn’t a tip about your password itself, it’s an added layer of security that’s offered by quite a few websites, and you shouldn’t pass up on it. Multi-factor authentication is an additional security challenge that is presented after you’ve correctly entered your password. You may recognize this as a text message or email you’ll receive with a temporary code you’re asked to enter into the website you’re logging in to. The idea is that this code is being sent to your phone or email, and ideally a would-be hacker doesn’t have access to these things. Other forms of MFA include a small keychain dongle that looks like a USB drive that displays a code that rotates every 30 seconds, or a secure app that runs on your mobile phone. If given an option, multi-factor authentication through an “authenticator” app is ideal—as it is more secure than text message and email, more convenient than carrying around a dongle, and often has features like password-less sign on.

Subscribe to an Identity Monitoring Service

If you want to have all your bases covered, the peace of mind an identity monitoring service can bring you is tremendous. Should one of your passwords get exposed, you’ll be alerted to that exposure and likely have the opportunity to change that password before a hacker can leverage that information against you. As a bonus, if you use an identity monitoring service powered by Constella, you’ll get a lot more than alerts about exposed passwords. Such premier ID monitoring services can alert you to the exposure of your personal data such as your social security number and help you avoid becoming the victim of various forms of fraud.

Where do I go from here?

Password best practices seem to differ everywhere you go—and to some, the contents of this blog post are old news, and to others, this is devastating, wish-I-had-known-sooner information. If you’re among the latter—you can stop panicking; it’ll be okay. If you’re re-using passwords for different sites, or simple variants of the same password, all you have to do is change them. Take a quick look at the tips above, find a password manager and ID monitoring service you like, and spend an hour or two on a Saturday afternoon to create some new passwords. If you use passwords that appeared on this year’s top-10 list, stop what you’re doing, take a vacation and clear your mind. When you come back, your task is no different than others’: password manager, ID monitoring and a couple hours of changing passwords.

Safe browsing, folks.

If you’re ready to protect your assets, your customers, or employees from the dangers of compromised credentials, request a demo of Constella’s Identity Monitoring solution today.

Deliver new monitoring services to your customers using the Constella Intelligence API.