Why Your 'Secure' Password Will Fail You (And What to Do About It)


NEW YORK (MainStreet) — No, your name or the numbers "1234" are not good passwords — what's easy for you to remember is often the first thing thieves and scammers can find out.

Here's a look at some of the least secure and most commonly used passwords out there and why you're taking a risk every time you take a shortcut.

What makes a password unsecure?

Passwords that are short, don't use a combination of letters and numbers or are common dictionary words are not secure, says Bill Carey, vice president of marketing for password manager RoboForm. Secure passwords are at least eight characters and always contain a mix of upper- and lower-case characters, numbers and symbols.

Trying to create strong passwords can be daunting, Carey says, but there are ways to make them easier to remember.

"You can incorporate symbols and numbers that look like letters, such as "f00tb@l1" instead of 'football,'" he says.

Some of the more commonly used passwords today are shockingly easy to guess, says Adam Levin, chairman and co-founder of Credit.com. These include popular dates, words and easy-to-remember combinations such as "abc123."

"While your birthday might be easy to remember, it makes you an easy target," Levin says. "With oversharing on social media, hackers can glean this information and brute force their way into your account."

Using the word "password" may sound ridiculous, but it still remains a popular entry key, Levin says.

"You may as well just hand an identity thief the key to your house and your wallet," he says.

Hackers today are not only much more advanced but also have much better technology at their disposal than ever before, says Hector Hoyos, founder and CEO of Hoyos Labs, a digital infrastructure security company.

"They can hack passwords in multiple ways and do it faster than most people can imagine. Some hackers use phishing scams, while others use key loggers that track what people type into their computers. There are even hackers who merely rely on educated guesses that are based on a person's public, online life," he says.

Even if your password isn't "123456," hackers can find out your mother's maiden name, the name of a pet, or the high school you attended through social media and get past your security questions, Hoyos cautions.

What are the real dangers of having my password compromised?

It all depends on the website account you are protecting with your password, Carey says. If you are using a general site for customized news, there's not much danger if someone hacks into your account. The hacker may be able to delete or rearrange your news, but you can easily recover from that.

"However, using weak passwords on banking, investment or other accounts where you save sensitive information can pose serious danger leading to lost money and identity theft," he says.

Once hackers crack a password, they have access to a person's digital life, Hoyos says. Most people have 26 active online accounts that require log-ins, from bank accounts to social media profiles and retail accounts. People generally have only five unique passwords for all of these accounts, though.

"This means that the chances of a hacker gaining access to more than one personal account via one cracked password is very high," Hoyos says. "From there, hackers can access bank accounts, financial documents, personal photos, medical records, emails and other private material."

In 2014 alone, there were 10 million instances of identity theft in which a large percentage was attributed to password hacking, he says. 

Today there are more hackers than ever, warns Marc Boroditsky, president and chief operating officer at two-factor authentication security solution Authy.

"The nature of hacking is changing," he says. "Cybercrimes in general are migrating to the login. This has become one of the easiest areas to hack as other parts of the corporate systems have been fortified."

If you don't give your password out to anyone, what are the chances a scammer could actually guess it?

The vast majority of hacking occurs through brute force hacking attempts, meaning a computer is set up to continually guess your password until the program gets it correct, Carey explains.

"While we recommend that you don't tell others your password, not telling someone your password alone is not necessarily going to keep you safe online," he says.

Today the rate of hackers targeting individuals is higher than ever, Hoyos says.

"Hackers prey on individuals, because their data security is much weaker and easier to infiltrate [than that of a corporation]," he says. "They can then either use a person's information for their own gain or sell it to the highest bidder."

I can't remember 20 passwords. Do I really need a different one for everything?

It's tempting to just keep things simple and have a master password. 

"I would say that's a bad practice," Carey says. "As we've seen in recent high profile data security breaches such as Home Depot and Target, companies are not always able to protect your passwords and other sensitive information. Users need to take more personal responsibility for their passwords in order to protect themselves online."

Having one password for all of your online accounts is equivalent to having one key for your house, car, safety deposit box and office, Hoyos cautions.

"If the wrong person finds it, he or she would have access to everything that matters to you, and that is most important and personal to you."

With just one password, if even one site is compromised, you're suddenly at risk across multiple channels.

"Even an old job search site account you haven't used in years would open you up to hacking in your current sites," Boroditsky says. "While the best scenario is to have unique, not-easily -guessed passwords for each application, at least have unique passwords on each high-risk, high-value application such as email or your financial accounts."

— Written by Kathryn Tuggle for MainStreet

Follow Kathryn on Twitter @KathrynTuggle

Show Comments

Back to Top