The short answer is YES.
Longer answer:
A dark web monitoring company, ID Agent, analyzed over 3 million stolen passwords for sale on the dark web in 2020 (Link to ID Agent Report). This analysis demonstrates the common characteristics of these weak, stolen passwords:
- People’s names, sports, food, places, animals, and famous people/characters are used as passwords
- 59% used a person’s name or birthday in the password
- 33% based the password upon a pet’s name
- 22% based the password upon their own name
- The average user reuses a bad password 14 times
Side Note:
For those that don’t know, the dark web is part of the deep web that does not get indexed and can’t be found with a search engine. The only way to connect to the dark web is thru a special browser that provides anonymity to the users and web sites. This is why cybercriminals use it to sale the items they hacked, such as passwords. What is really appalling is a hacked social security number (main item needed in identity theft), costs only $4 – $8 on the dark web.
These most common characteristics of these stolen passwords is the main reason they were stolen. Users use these personal names and numbers to make their passwords so it will be easy to remember even when they have been told they shouldn’t use such information for their passwords. Most are unaware of just how much using the easy to remember data weakens their passwords. It is estimated that a brute force hash attack on an 8 character password containing 96 character set (upper & lower case numbers, numbers, and special characters) that was selected randomly will take a robust system 45.2 years to test all possible 6.6 x 10^15 passwords. Turn that 8 character password into a variation of your favorite sport, pet, famous name, or birth date as the password will severely limit the different character possibilities, resulting in only a few possible passwords to test before finding the password. Such a weaken password can be cracked in 15 minutes to 1 hour depending if a GPU is used (GPUs calculate hashes faster than CPUs). These times could be drastically shortened if a botnet or supercomputer is used.
Hackers use software (also sold on the dark web) to rapidly test passwords that are just variations of names and dates, and seldom try brute force hash attacks on random created passwords unless the prize warrants it. For many users, having passwords that don’t contain names and dates makes their password not worth hacking and keeps their data safe.
Yes, a strong password is necessary. A strong password needs to be at least 10 characters (the more the better), consisting of a 96 character set (upper & lower case letters, numbers, and special characters), randomly selected, and containing no names or date formats. This takes right back to where we were when we weakened our passwords…..how to remember a strong password.
There is a way to make strong passwords easy to remember based upon initialism and it is easy to learn. Initialism is a type of acronym where only the first letter in each word of a phrase is used. Example: CBC for Complete Blood Count.
Here’s how to make a strong password easy to remember using initialism:
Create a sentence about yourself that you will remember that includes numbers and punctuation.
Example: How many cars have I owned? I don’t know! 5 I guess.
Take the first letter in the case it is for each word, include all numbers and punctuation.
This would yield a password from the Example statement of: HmchhIo?Idk!5Ig.
A strong password that will be easy to remember. Even if you use personal information to make remembering the statement easier, that personal information won’t be disclosed with initialism. So take a little time and make your passwords stronger.
HTH, Drcard:))
HTH, Dana:))
