Could your passwords be cracked in three minutes?

From a security perspective, online passwords are often shockingly feeble.

Last year, we wrote about how businesses and service providers were no longer allowed to use the most common passwords on behalf of their customers.

Sadly, the general public haven’t been driven, inspired or incited to similar action.

In their latest annual analysis, digital security specialists NordPass have once again revealed the lack of imagination (or basic effort) invested in domestic passwords.

The most common password used in the UK remains – drum roll please – ‘password’.

Second and third place were taken by ‘qwerty123’ and ‘qwerty1’, followed by ‘123456’.

The current pre-eminence of the city’s titular football team has seen ‘liverpool’ take fifth place, followed by ‘123456789’, ‘password1’ and ‘qwerty’.

(‘Arsenal’, ‘Chelsea’ and ‘Rangers’ also made the top 20 nationally).

As well as being blindingly obvious choices, these passwords all share the unfortunate attribute that they can be cracked by algorithms within one second.

Needless to say, that’s not the security threshold you should be targeting…

The magic number

Virgin Media and O2 recently employed an ethical hacker to test the online password strength of a group of willing volunteers.

The aim of the test was to see whether someone with the technical knowhow could manually crack customer passwords inside three minutes.

Predictably, many cracked passwords didn’t take anywhere near that long to identify.

Armed only with email addresses, the ethical hacker (also known as a white hat hacker) was able to find publicly available information from historic passwords data breaches – including many still in use.

He was also able to identify address and phone number data, recent holiday details and other personally identifiable information (PII) which often underpin supposedly secure passwords.

If you’ve used your wedding venue, children’s names or your beloved football team as the basis of passwords, your online security could also be shattered within three minutes.

Cracked passwords are compounded when the same password (or a very similar variant, like a football team’s name with a 1 after it) are used across multiple accounts.

Criminals able to access one password on a single account can use that as a starting point for brute force testing numerous other accounts in the hope of also gaining access.

Even people who’ve previously fallen victim to password theft are seemingly happy to reuse potentially compromised passwords in future, according to VMO2’s sobering analysis.

How can I stay safe?

Firstly, avoid using any passwords mentioned above – or derivations. Even incorporating the added security of an uppercase letter, ‘Password1’ still made NordPass’s top 20.

Secondly, minimise cross-contamination by ensuring you don’t use the same password across multiple accounts, which most of us are guilty of to some extent.

Since the average UK citizen has over a hundred online accounts, you’d need an eidetic memory to instantly recall which of a hundred passwords relates to which account.

Workarounds include adding abbreviated reminders into the Bookmarks saved for each website, or writing down passwords in a notepad to be kept by your main home computer.

(If you’d rather create a digital file like a Notepad document, you’ll have to use abbreviations akin to the bookmarks suggestion in case a hacker accesses your hard drive.)

You could also install and use a password manager, which we’ve previously recommended.

These digital safes require a single (albeit rather complicated) password to be remembered, handling online logins for numerous apps, websites, social media platforms and utilities.

These password managers will use character/number/symbol strings so complex you’d struggle to type them, let alone remember them, making each one fiendishly difficult to hack.

They also work across multiple devices including computers and smartphones, and can potentially store payment data or minimise the stress of two-factor authentication.

A few will even scan the furthermost reaches of the internet to search out cracked passwords, automatically notifying you if data breaches are detected.

Finally, if you’d like to research this topic further, our guide to improving password security explores these and other recommendations in greater depth.