How safe is your password?

Qwerty. 1234. Ring a bell? We're forced to remember dozens of different codes – so how do you choose a rock-solid one? Rhodri Marsden explains

Passwords have never been that secure. Sentries of old might have considered the requirement for someone to whisper the word "Methuselah" to get past a checkpoint to be pretty damn stringent, but as soon as "Methuselah" was forgotten or passed on (deliberately or inadvertently), they may as well have abandoned the checkpoint and put up a sign saying: "Come on in."

Despite this, the almost laughably antiquated system of password protection has persisted in the internet age, securing our finances, our personal details, and those of slaughter-happy characters we've created in games such as World of Warcraft. These sequences of letters are usually recognisable words that are convenient, easy to remember and, we imagine, impossible to guess. After all, we came up with them unprompted, we didn't write them down, and didn't reveal them to anyone else.

But we're spectacularly unimaginative in our choice of passwords, and despite constant reminders that this represents a security risk, we blithely carry on using them, reassuring ourselves that we haven't been scammed thus far. But that's a bit like wandering blindfolded around busy town centres and saying: "Well, I haven't been hit by a car yet." But passwords will persist, not least because we're hugely resistant to anything more complex.

"They're the least worst in a series of bad options," as one security consultant recently pronounced. Remember our annoyance when British banks started issuing devices such as Barclays' PINsentry to implement a new level of security? We hated the inconvenience, despite them significantly reducing levels of bank-account fraud. We value convenience over security, right up until the point where that security is breached. So Arsenal fans persist in using "arsenal" as a password and deeply resent having to change it, despite the fact that it's one of the most easily guessable passwords they could possibly choose. (Liverpool supporters are just as bad, incidentally.)

Whenever the news features security breaches, from celebrity Twitter accounts to personal data leaks, weak passwords are often to blame. Our laziness in this regard is revealed in statistics that would be hilarious, if the implications weren't so serious. According to data gathered by Mark Burnett, author of the book Perfect Password, 98.8 per cent of us share the same 10,000 passwords. Many online security systems are built to withstand repeated incorrect guesses, but if they aren't, a computer could quickly zip through 10,000 attempts and gain access within a very short space of time.

Nearly one in six people will look at the list below of the top 10 passwords and passcodes and recognise theirs instantly; it seems incredible that "password" is still the most popular password – but it is, with 123456 trailing close behind. "5683" might seem at first glance to be a pretty random passcode or PIN – but it spells out "LOVE" on the keypad, and that's as much of a gift to hackers as the ridiculously common password "iloveyou". These kind of careless, forehead-slapping mistakes are widespread within companies, too.

So why are our passwords still so predictable? According to Burnett, the common advice we're given – particularly to mix letters and numbers, as "pass123" evidently does – is misguided. "People just aren't as savvy as they think they are," he says. "For example, many people try to be clever with passwords like ncc1701 or thx1138, but these are the ship number for the starship Enterprise and George Lucas's first film respectively, and they're incredibly common. Rather than bothering with how many capitals, numbers, and symbols we have in our passwords, we should be concentrating on making them longer."

There are three ways a password can be compromised. The first is simply to ask us what it is. Social-engineering techniques can persuade us to give it up very easily – for example, via a rogue email purporting to be from a bank. The second is to have a guess, and as we've seen, 10,000 guesses will hit paydirt 98 per cent of the time. The last is brute-force cracking, where all the potential combinations are laboriously worked through until the right one is chanced upon – and that's where the length of password becomes crucial. Pop along to the website howsecureismypassword.net, tap in an eight-character password, and it'll tell you that a desktop PC can guess it in a matter of hours. But extend that to a 12-character password, and we're talking several centuries.

"If your password contains 15 characters or more, it no longer matters how random it is," says Burnett. "It doesn't matter if there is an English word in there somewhere, it doesn't matter how many numbers or symbols you use, it doesn't matter if you use the same letter too much, and it doesn't need to be changed every 30 days." Many techniques for password selection involve mnemonic methods – indeed, that's what I've always tended to do; for example the initial letters of a phrase, i.e. "You were only supposed to blow the bloody doors off" will generate "ywostbtbdo".

The other issue that consternates the password-choosing public is the knowledge that the same password shouldn't be used across every website we log into. But the mental energy it takes to retain more than two or three passwords encourages us, once again, to be lazy. Services like 1Password, KeePass and LastPass offer a convenient "remembering" facility, where all you have to do is provide a master password and it does the rest of the work for you. And while LastPass was subject to a hacking attack back in May, Burnett still recommends using such services - with the proviso that the master password is strong, and long. "The LastPass issue shouldn't have affected anyone with a strong enough master password," he says. "Mine is 24 characters long – but there are services like KeePass which keep all the passwords stored on your computer rather than online, so you don't ever lose control of the data."

Will passwords ever become obsolete? You'd hope that an alternative would soon emerge to save us from our own uselessness. Security expert Markus Jakobsson has been working on a system he calls "Fastwords", where passwords are replaced with a combination of three words that you can type in, in any order, to gain access. If you forget your fastwords, prompting you with one of them helps you to remember the other two.

Meanwhile, researchers at the American University of Beirut are engaged in a project called "Optimising Password Security Through Key-Pattern Analysis". This measures the typical time it takes for you to type in your password, calculating the pauses between the keystrokes; it can thus distinguish between the way you enter it, a stranger enters it and a computer enters it. If it senses you're doing the typing, it lets you in.

It's these systems that may provide the solution to computer security, rather than fobs, smartcards or fingerprint readers. "Passwords will never be obsolete," says Burnett. "A smartcard by itself is strong, and a password by itself can be strong, but used together they are much, much stronger." As long as that password you've chosen isn't "password", of course. Consider this to be your umpteenth warning, of what will probably be umpteen more.

Do you use one of the most common codes?

These are currently in the top five passwords in use online. If you use one of these for anything - email, banking, social media - you may as well not have a password at all.

1. password

2. 123456

3. 12345678

4. 1234

5. pussy



And these are the top five iPhone passcodes, representing some 15 per cent of all iPhone passcodes in use today. There's good reason to suppose that this applies to cashcard PIN numbers that people have chosen too; something that isn't based upon a memorable pattern on the keypad might be a better idea.



1. 1234

2. 0000

3. 2580

4. 1111

5. 5555



ebooks
ebookA delicious collection of 50 meaty main courses
Life and Style
ebookNow available in paperback
News
i100
Arts and Entertainment
Billie Piper as Brona in Penny Dreadful
tvReview: It’s business as usual in Victorian London. Let’s hope that changes as we get further into the new series spoiler alert
Life and Style
A nurse tends to a recovering patient on a general ward at The Queen Elizabeth Hospital in Birmingham
health
News
science
Arts and Entertainment
No Offence
tvReview: No Offence has characters who are larger than life and yet somehow completely true to life at the same time spoiler alert
News
Chuck Norris pictured in 1996
people
Arts and Entertainment
Sarah Lucas, I SCREAM DADDIO, Installation View, British Pavilion 2015
artWhy Sarah Lucas is the perfect choice to represent British art at the Venice Biennale
News
A voter placing a ballot paper in the box at a polling station
i100
News
people
Arts and Entertainment
The Queen (Kristin Scott Thomas) in The Audience
theatreReview: Stephen Daldry's direction is crisp in perfectly-timed revival
Sport
football
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    SThree: Trainee Recruitment Consultant - Dublin

    £13676.46 - £16411.61 per annum + OTE: SThree: SThree Trainee Recruitment Cons...

    Ashdown Group: Database Analyst - Birmingham - £22,000 plus benefits

    £20000 - £22000 per annum + excellent benefits: Ashdown Group: Application Sup...

    SThree: Recruitment Resourcer

    £20000 - £25000 per annum + Uncapped Commission: SThree: Do you want to get in...

    SThree: Recruitment Consultant - IT

    £25000 - £30000 per annum + Uncapped Commission: SThree: Sthree are looking fo...

    Day In a Page

    General Election 2015: Ed Miliband's unlikely journey from hapless geek to heart-throb

    Miliband's unlikely journey from hapless geek to heart-throb

    He was meant to be Labour's biggest handicap - but has become almost an asset
    General Election 2015: A guide to the smaller parties, from the the National Health Action Party to the Church of the Militant Elvis Party

    On the margins

    From Militant Elvis to Women's Equality: a guide to the underdogs standing in the election
    Amr Darrag: Ex-Muslim Brotherhood minister in exile still believes Egypt's military regime can be replaced with 'moderate' Islamic rule

    'This is the battle of young Egypt for the future of our country'

    Ex-Muslim Brotherhood minister Amr Darrag still believes the opposition can rid Egypt of its military regime and replace it with 'moderate' Islamic rule, he tells Robert Fisk
    Why patients must rely less on doctors: Improving our own health is the 'blockbuster drug of the century'

    Why patients must rely less on doctors

    Improving our own health is the 'blockbuster drug of the century'
    Sarah Lucas is the perfect artist to represent Britain at the Venice Biennale

    Flesh in Venice

    Sarah Lucas has filled the British pavilion at the Venice Biennale with slinky cats and casts of her female friends' private parts. It makes you proud to be a woman, says Karen Wright
    11 best anti-ageing day creams

    11 best anti-ageing day creams

    Slow down the ageing process with one of these high-performance, hardworking anti-agers
    Juventus 2 Real Madrid 1: Five things we learnt, including Iker Casillas is past it and Carlos Tevez remains effective

    Juventus vs Real Madrid

    Five things we learnt from the Italian's Champions League first leg win over the Spanish giants
    Ashes 2015: Test series looks a lost cause for England... whoever takes over as ECB director of cricket

    Ashes series looks a lost cause for England...

    Whoever takes over as ECB director of cricket, says Stephen Brenkley
    Fishing for votes with Nigel Farage: The Ukip leader shows how he can work an audience as he casts his line to the disaffected of Grimsby

    Fishing is on Nigel Farage's mind

    Ukip leader casts a line to the disaffected
    Who is bombing whom in the Middle East? It's amazing they don't all hit each other

    Who is bombing whom in the Middle East?

    Robert Fisk untangles the countries and factions
    China's influence on fashion: At the top of the game both creatively and commercially

    China's influence on fashion

    At the top of the game both creatively and commercially
    Lord O’Donnell: Former cabinet secretary on the election and life away from the levers of power

    The man known as GOD has a reputation for getting the job done

    Lord O'Donnell's three principles of rule
    Rainbow shades: It's all bright on the night

    Rainbow shades

    It's all bright on the night
    'It was first time I had ever tasted chocolate. I kept a piece, and when Amsterdam was liberated, I gave it to the first Allied soldier I saw'

    Bread from heaven

    Dutch survivors thank RAF for World War II drop that saved millions
    Britain will be 'run for the wealthy and powerful' if Tories retain power - Labour

    How 'the Axe' helped Labour

    UK will be 'run for the wealthy and powerful' if Tories retain power