Strong Passwords—The Cybersecurity Tool that Doesn't Cost a Penny

Most people know: your passwords should be top secret. Nobody should know how to log into any of your accounts. 

So, would you be upset if we guessed one of your passwords right now? 

Because we're confident in guessing that you use one of the following passwords: 

• 123456
• 123456789
• qwerty
• password
• 12345

If your password is on this list, you might feel a little shocked right now. How did this blog know?  Have I been hacked? Are they psychic?

Not quite. You don't need a crystal ball to figure out any of these passwords. According to password security company NordPass, those are among the most popular passwords in the world, used by millions of people to secure their email, banking, and other sensitive data. Even if you don't use these passwords, you probably know someone who does. 

That said, the above examples are becoming less popular. Many services have password rules that will block a simple password like "abc123". When you try to create a password, you get a message telling you to use capital letters, numbers, and special characters, and you are asked to make it longer than eight characters. 

This system has a problem. Everyone follows these rules in exactly the same way, and that makes it easy to guess what they'll do.

Here’s an example you might find familiar...

Don’t cringe if you’ve used something like “Password1!” before. A lot of people use "Password1!" There's even a standup comedy routine about it:

The fact is... passwords are annoying. It’s hard to think of new passwords. It's even hard to remember your passwords. And, when you're creating a new account you might think, “Is my password even a big deal?”

Yes. It is a very big deal. And it's important to understand why. 

2. Why weak passwords are such a bad idea (and could ruin your life)

Your passwords are the keys to your digital life.

Imagine how upset you would be if someone stole your keys. That person could unlock the doors to your home, your car, your business, maybe even your safe or strongbox. 

Stolen passwords grant even more power than stolen keys. If a hacker obtains your password, they could access your email, your social media, your bank account—they could take over your whole life. And you might not even know about it until they've done irreparable damage. 

(If you hold information about other people, such as customer records or employee files, hackers could ruin those lives too.)

In fact, hackers don't even need to steal your passwords. Sometimes, they can just guess. 

Let's say that your locks don't require keys. Instead, you guard your property with a combination lock like this one: 

A patient burglar could break this lock if they had enough time. They would start by trying 0000, then 0001, then 0002, and so on until it’s open.

In cybersecurity, this is known as a brute force attack. Hackers simply keep guessing passwords, like "password1", then "password2", "password3", and so on. 

But back to our combination lock. How long do you think it would take to guess the combination if your lock looked like this:

Five seconds? Maybe less, if the burglar has nimble fingers? 

This is what you're doing if you choose a weak password like "abc123". Hackers can try millions of combinations per second, so they could guess that code in the blink of an eye. Here's a table showing roughly how long it takes to brute force common passwords:

[source]

Notice the massive difference at the end? By making things slightly more complicated, we’ve made things much more difficult for hackers.

What about the other extreme? What if our combination lock had a dozen digits? How long would it take to guess the combination for this monstrosity?

Good luck to the person trying to pick that lock. 

The digital equivalent of this is a robust password. Here's how long it takes to crack a truly strong password.

It's a no-brainer. Strong passwords can make a clear difference to your personal and commercial cybersecurity.

So why do people keep using weak passwords? 

As we said at the beginning, it’s because passwords are annoying. And managing passwords is hard. As a result of this, people make mistakes.

3. Five big password mistakes that everyone makes (and why they make them)

We would all love to be more security-conscious, in the same way that we would all like to exercise more and spend more time on our hobbies. 

Why don’t we do these things? Because life gets in the way. We’re too busy to go running every morning; we’re too busy to really think about password security. 

In cybersecurity, the result is that people make easy-to-avoid password mistakes. Here are some of the more common errors–and the reasons they happen. 

1. Picking a weak password

A weak password includes anything too short (“abcd”), too simple (“password”), or too easy to guess (“BobsPassword”). 

Your personal details can also be obvious. Sports teams and birthdays are common passwords. Hackers will try things like "GoPackers" or "EaglesSuck" because they often work. 

Why do people make this mistake?

Many people worry that they will forget their password if it’s too difficult. And so, they choose something that they know they won’t forget. 

It’s also worth mentioning that many people say, “I’ll choose something easy for now and change it later”. Chances are that you won’t get around to changing it, which is why it’s important to start with a strong password. 

2. Making your password too strong

A password like “Gy&_s7787ao{8789ggwnKL8” is super secure... but will you remember it? 

Unless those characters are somehow meaningful to you, probably not. This creates a temptation to write your password down somewhere, perhaps on a Post-it attached to your monitor. But now someone can obtain your super-secure password by...simply looking at your Post-it note. 

Why do people make this mistake?

Some software will force you to choose a complicated password. This can be counterproductive, which is why the NIST—the ultimate authority on password security—have started advising against these password policies. 

The best cybersecurity system is one that’s easy for users but difficult for hackers. Complicated passwords are difficult for hackers, that’s for sure. But they also make life really difficult for people who just want to log into their accounts, and that's not great either.

3. Reusing the same password

You should never use the same password twice. Each one of your accounts should have a unique password.

In practice, this rarely happens. Who can remember 200 different passwords? A lot of people find one password that works for them, and they use it on every account. 

Unfortunately, this creates a kind of digital skeleton key, capable of opening every lock. Hackers only need one password to own your life completely. 

Why do people make this mistake?

Because it’s literally impossible to remember dozens of unique passwords. It’s only natural that you might reuse the same passwords a few times. 

(Later in this article, we’ll talk about how to tackle this problem. Spoiler alert: a good password manager can help.)

4. Assuming your password doesn’t matter

This is an extension of the previous problem (too many passwords). You might think, “Okay, I’ll use a really great password for my email and banking. But surely ‘abc123’ is okay for my parking app or a dumb mobile game?"

Why do people make this mistake?

Depressing fact time: Hackers are trying really hard to steal your stuff, and they will exploit a weakness.

A hacker might gain access to a restaurant app that contains your email address and phone number. That's two pieces of information which can be used to build an identity profile. That might make it easier to gain access to another account, containing more information. The hackers will keep going until they have enough details to access something valuable, such as your banking. 

Every online account is a weak point. You need to be careful all the time. 

5. Sharing your password with others

“Hey, what's your password?”

Those simple words have started fights between many couples. While we’re not qualified to give marriage advice, the cybersecurity advice is unequivocal: Don’t ever tell anyone your password, ever, under any circumstances, regardless of who they are or how nicely they ask.

Seriously. Just don’t. 

There are two main reasons for this. One is, obviously, that if you tell someone your password, they can access your stuff. That person may do something you’d rather they didn’t–either by accident or on purpose. 

The second reason is a bit more technical. One of the key pillars of cybersecurity is that people should only log into their own accounts. This makes it easier to track who did what, allowing investigators to find the cause of a security breach. 

Why do people make this mistake?

Some organizations are set up badly. One person might have access to the stock ordering system. If somebody else needs to order something, they will need that person's password. This creates a vulnerability which could be exploited. 

Also, it can be really hard to say no when someone asks for your password, especially if the person asking is your boss. Or spouse. 

4. Five good ways to manage passwords

Let’s quickly recap what we’ve covered so far: 

• Long passwords are harder to crack than short passwords
• Numbers, special characters and dIfFeReNt cAsEs are even harder to crack
• Passwords shouldn’t be obvious
• Passwords also shouldn’t be too complicated to remember
• Passwords should be unique
• But don’t worry if you can’t remember 200 passwords (no one can)
• Never write your passwords or share them with other people

Now that we’ve covered the Don’ts, let’s take a look at some of the Do’s of password management. 

1. Always use Multi-Factor Authentication

Passwords are just one way of securing your account. There are other options too, and it usually makes sense to use as many options as possible. 

Again, think about passwords as the key to your door. Losing the key isn’t so bad if you’ve got other defences, like a deadbolt or CCTV, or a big dog that always barks at the mailman. 

So, what other ways can you lock your digital door? Dozens–and we generally break these into three categories: 

Something you KNOW

A password is an example of something you know. Other examples include PIN numbers, personal details (such as date of birth or social security), or the answer to a security question (e.g., “What’s your mother’s maiden name?”)

Something you HAVE

A physical key is an example of something you have. Other examples include security badges or an ID, like a driver’s license. Your phone is also something you have, which is why some websites will send you a security code by text. 

Something you ARE

The technical term here is “biometrics”. Biometrics refers to anything that scans a unique part of your body–for example, your fingerprint. Facial ID and voice recognition are also common biometric checks. 

Multi-Factor Authentication will check at least two of these things before allowing you to log in. The most common example is asking for your password (something you know) and a code sent to your phone (something you have). Hackers would need to get both things in order to access your account. 

2. Don’t use a password–use a passphrase

Passwords should be long and complicated. This makes it harder for hackers to guess the password just by trying every combination. 

However, we sometimes focus too much on complicated passwords. Most websites ask you to include a capital letter, lowercase letters, numbers, special characters, punctuation, name of your first crush, and so on. 

Here’s a question, though. Which of these passwords do you think would be faster to guess by brute force:

1. Hd6^7s0q
2. thisismypassword

Option 1 is very complex and would satisfy most websites. But it’s only eight characters long. Estimated time to crack: 5 minutes.

Option 2 wouldn’t be acceptable. It’s just lowercase letters, no special symbols. But there are sixteen characters, which makes it much harder. Estimated time to crack: 713 years. 

What’s amazing is that Option 2 is also very easy to remember. That’s why America’s main cybersecurity organization recently changed their guidelines and recommended people create longer, simpler passwords. A good way to make long passwords is to use a phrase and just remove all the spaces. 

Remember: 

❌ Password=NewY0rk!

✔️ Password=NewYorkNewYorkSoGoodTheyNamedItTwice

3. Create different accounts for everyone and everything

Sharing passwords is always a bad idea. However, it can happen sometimes. 

For example, say you run a small business with three employees. While you’re on vacation, there is a stock shortfall. Somebody needs to log in and place a new order ASAP. The easiest thing to do is give them your password. 

It’s a bad idea, but what can you do?

Well, what you can do is try to create an account for each person. For example, if you use an online ordering system, you may be able to create individual employee accounts. This offers a number of advantages, including: 

• Accountability: You can see exactly who did what and when. 
• Permission control: On some systems, you can create Administrators (with lots of power) and Users (with limited power). This allows people to perform actions, but keeps them away from the serious stuff. 
• Accessibility: Users can log in when they need to, even if you’re not around to share your password. 

And the most important benefit of all…

Password security: Each person has a unique password that’s only known to them. Nobody can log into anyone else’s account. 

Take a look at your core business systems and see if you have options to create additional user accounts. 

4. Have a user-friendly password policy

Cybersecurity is a serious business, and sometimes requires a little sacrifice. You need to do a little work to ensure that your passwords are safe and secure. 

However, cybersecurity shouldn’t be too difficult. When security becomes a headache, people start to find workarounds. The classic example is the intensely long and complicated password… which the user then writes on a Post-It note. 

Listen to feedback from everyone on your team and learn more about their pain points. Some of the most common complaints are: 

• “We have to change passwords all the time”: Forcing users to change passwords regularly (such as every 60 days) can improve security. However, it makes it harder to remember passwords, and ultimately can be counterproductive. 
• “My MFA doesn’t work”: If possible, set up multiple MFA options. Some people might find it easier to use a text message, others might prefer to use an authenticator app. 
• “I have too many passwords”: More passwords means more opportunities for security failure. Look at options such as Single Sign On using Google or Windows. 

Password security is all about balance. You need rules that are tight enough to keep hackers out, but reasonable enough to let users go about their work. Finding that balance can take a little trial and error. 

5. Get a password manager

Password managers are tools that store all of your logins in one safe place. When you need to access an app or website, the password manager will automatically enter your password. 

Now, this might sound unsafe. Should you put all of your eggs in one basket? 

(Your passwords are the eggs in this metaphor.)

And the answer is… it depends. 

A password manager offers some real advantages, such as: 

✔️Easy to create new, unique passwords for every single website
✔️You don’t have to remember thousands of different passwords
✔️Password managers are heavily encrypted, so they’re difficult to hack
✔️A lot of password managers have biometric protection, so you need to provide a ✔️fingerprint or face scan before you can use your passwords

But, yes, there is one big disadvantage: 

❌If someone accesses your password manager, you’re toast

The solution is to pick the best possible password manager and then be really careful with it. 

You’ve got lots of choices for password managers, including: 

• Browser password managers: Your internet browser (such as Chrome, Edge, or Safari) will probably offer to save your passwords. This is convenient, but not the most secure option. 
• Operating system password managers: Your phone probably offers to save your passwords as well, either on Google Cloud (if you have Android) or iCloud (if you have an iPhone). This system can be better, as long as you have good security on your phone. 
• Third-party password managers: The best choice is to get a dedicated password manager such as Lastpass or 1Password. These solutions are usually not too expensive, they’re easy to integrate with your phone and computer, and they’re built to be as secure as possible. 

All in all, password managers are usually the best option for cybersecurity. But think carefully about which password manager you will use, and make sure to keep it safe. 

Enterprise security for your small business

Many apps and websites are moving beyond passwords entirely. Instead, they are making logins more secure with technologies like passkeys,  OAuth, adaptive authorization, and zero-trust architecture. 

However, the humble password will be a core part of security for a long time to come. A strong password policy is the foundation of a secure business--and it's cheap and easy to get this right. 

Simple Cyber Security can help you with this aspect of cybersecurity and so much more. Best of all, our solutions are tailored to companies with limited budgets and IT resources. Fill out the form below and start your journey towards digital security.