World "123456" Day!

Andrew Howden
May 6, 2021

World Password Day 2021!

There are many bad passwords but "123456" holds the accolade for being the worst.‍

Sites like allow you to check whether your email/username and password has been leaked. Sourced by security specialists, this site alone currently holds over 11 trillion account details and the password "123456" has been used over 23 million times! Check it out - today has never been a better day.

Other really bad passwords include: anything about you on social media (pet, hobby, sport etc.), dictionary words (any language), and almost anything easy to remember...

A better password (as such) is something long (which is key), that breaks the mould e.g. "LazarusHeist2021*". My pattern here is a podcast in camelCase, with the year and a non-alphanumeric character [@$%6&();{#}\¢]. To crack that would take c.166 years and anything over 30 years is probably fine. Maybe also consider a password manager, the one built into your browser e.g. Chrome will probably do the job nicely.

So, what actually makes a good password? Two passwords! More commonly referred to as two-factor authentication (2FA) or multi-factor etc. The idea is that you have a sensible password (as above) and a PIN or code from something physically separate e.g. your phone via SMS (text message). Yes, it takes longer to login but that's still a lot less time and hassle than if you got hacked or your identity stolen.

Lastly, where possible, having applied the above to Google, Facebook, Instagram, etc. use those social logins for other sites. Of course, also read over the relevant privacy policies to check you're not giving too much away in return. On the plus side, every time you read one you'll get quicker next time.

In summary, if you think you should change your password - change it; literally go now. If you need motivation checkout, spoiler alert, if you have used the Internet for 5+ years your account has probably been comprised. Use long passwords if nothing else and always enable two-factor authentication where possible.