There’s almost no end to the scary facts about how just plain bad most people are at managing their passwords. We bet you’re guilty of at least a few of these missteps.

• The most commonly used password is “123456.” (Yikes!) And there are still plenty of people using “password” for their password — it ranks number four on the list.
• Pet names, birth years, ages and first names are some of the most common password elements. (Though curse words were found to be the most common!)
• 61% of people whose passwords had been hacked were using passwords that were shorter than eight characters.
• One in 10 respondents in a survey admitted they’d been using at least one password since middle or high school.

It’s human nature. We simply aren’t wired to remember long, complex strings of characters — much less dozens and dozens of them. So we create little tricks to make them easy to remember by associating them with a person or a place and repeating them for multiple sites. Sometimes we swap out a digit or add a symbol to change it up, but we’re creatures of habit. And it’s hurting our online security.

However clever we think we’re being with passwords, hackers can make easy work of cracking our codes. Hive Systems tracks the time it takes hackers to get your password, and the results are alarming.

A password of 10 lowercase letters takes a minute to figure out. Throw in some uppercase letters and go up to 11 characters and it will take a month. But if you use a combination of words and mix in symbols and capitalization (like we recommend below), Hive says you can make it trillions of years before they get you.

Graphic Credit: Hive Systems

Go long with passwords

The key to a strong password is length. We recommend using passphrases of 4 or more random words – for example:

• Correct.horse.battery.staple
• twelve!desert?Mean*tumble
• leoparD-hopefuL-Slowly-Peanut

These are very long and relatively easy to remember. They do need to be random words, though — don’t make it a sentence. Be sure to use unique passwords for every site. If your password for IHeartCats.com is the same as your password for your bank’s website, you’ll eventually have a bad day.

For IT staff, we recommend not forcing users to reset their passwords at certain intervals. It might sound counterintuitive, but this recommendation stems from Microsoft’s guidance on the topic.

First, forcing passwords to expire encourages bad password hygiene such as repeating the last password but changing a single character. It’s too easy for criminals to predict. Second, most hackers use compromised credentials immediately, making a monthly or quarterly reset useless.

Use a password manager to help you remember

Today we each have about 100 passwords to keep track of. Back in 2007, people averaged just 6.5 passwords for 25 sites. While more than half of respondents (58%) in one survey said they rely on their memories to manage passwords, the popularity of password managers is growing. Thirty-two percent (32%) in a Security.org survey reported using them in 2023, up from 21% in 2022.

Password managers store all those passwords for you so you don’t have to commit them to memory. But how do you choose? Look for these features:

• Works across all your devices
• Requires multi-factor authentication (texting or emailing a code to confirm it’s you)
• Encrypts your data for the strongest protection

1Password and Dashlane have great track records. And while it might seem handy to let browser-based tools like Google Passwords help you log in, we don’t recommend it. It’s just not secure enough.

Password best practices

For the best protection, follow these rules for password safety:

1. Avoid passwords with personal information in them, including street names, pet names, kids’ or spouse’s names, anniversary dates and birthdays.
2. Use passphrases (as we described above) or extremely long (20+ characters) random passwords saved in a password manager.
3. ALWAYS allow multi-factor authentication (MFA) if a site or app gives you the option.
4. Change a password immediately if you know — or even suspect — it’s been compromised.
5. Use unique passwords for every single site and app.

Get passwords under control in your business

While our advice applies to personal and business use of passwords, it can be overwhelming for businesses with little or no IT staff to set and enforce password policies.

Cenetric can train your team on best practices or implement password management for your network. Our experts are ready to help. Talk to us about your needs and we’ll be in touch quickly.