Weak, short, or predictable passwords are easily cracked; use strong, unique combinations and enable advanced authentication for better protection.
One of the biggest drivers of data breaches so far is the use of weak passwords.
According to an analysis of thousands of real-world entries across multiple leaked datasets, experts from Hostinger have identified the most basic password mistakes, and why users keep making them.
The first mistake is using short passwords, as 21.7% of the passwords analyzed were under eight characters: all of them were cracked instantly with the appropriate tools. While short passwords are quicker to type and easier to remember, they are also the first to fall to brute-force attacks. Solution: Make sure passwords are at least 12 characters long, ideally using a phrase or sentence that is unique and easy to recall.
Other basic password hygiene failures
The second mistake is using passwords that look unique but are simply just made from a mixture of predictable patterns that are easy to break. People choose familiar word-number combinations, thinking these are safer than generic passwords. However, passwords such as “mybluecare69” can still be broken. Solution: Use a mix of uppercase, lowercase, numbers, and special characters, and avoid common/predictable words or patterns, especially those linked to your personal data that cybercriminals can mine from data breaches.
The third password hygiene mistake is using long passwordsthat are nevertheless, weak. Incident data analyzed showed that even though some passwords were over 20 characters long, they had a 13% crack rate, making them nearly as easy to break as much shorter passwords. The reason was that people assume longer passwords are automatically stronger, but using repeated characters lowers security, such as a string of “aaaaaaa” or “123123” with the 20 characters. Solution: Avoid repetition. Variety in structure is just as important as overall length.
Finally, the data showed that a large portion of passwords being used still appear in the top 10m most leaked passwords. In the data analysis, 475 passwords matched high-frequency entries from global breach lists. People may not even be aware that their credentials have been compromised. Or, due to the need to change passwords regularly, they may resume the use of past passwords that had been deemed safe. Solution: use websites such as “Have I Been Pwned” to regularly check credentials, and avoid reusing any password that appears on a known breach list.
Beyond basic password hygiene
Other than the basic password hygiene fails uncovered by Hostinger, users need to keep apprised of the latest online identity authentication methods available, and use them for added protection. These include:
- Choosing passwordless and biometric login methods
- Use passphrases and passkeys where possible
- Leveraging an established password manager with an unbroken security record
- Enabling strong second-factor/multi-factor authentication such as app-based or hardware-based authentication, avoiding SMS-based authentication, which is vulnerable to social engineering
- Regularly reviewing privacy settings and keeping updated on any new identity authentication or protection features available on every platform being used
