A recent annual report analysed the worst passwords in common use to give us an insight into what people are using, but more to the point what you shouldn't be using.
Account hacking is a real and genuine threat, so making sure you have a safe and secure password for all your accounts is an absolute must. We are constantly told to try and avoid using the same password for everything, but remembering so many different passwords can be a nightmare.
Thankfully, there are software programmes and apps out there to handle that task for you and help keep you safe online. But before we do it's worth pointing out here are the most popular passwords used online that you shouldn't even think about using.
Passwords you shouldn't be using
It seems people still like using: "123456" and "password" with both occupying the number 1 and 2 slots respectively on the list compiled by SplashData.
Despite pleading from security experts, many of us still use go-to, easy-to-recall passwords for most of our online accounts. In 2016, Gemalto surveyed 9,000 consumers from around the globe, including in the UK and the US, and found that 70 per cent of respondents believe the responsibility for protecting and securing customer data lies with companies (whereas only 30 per cent thought it was up to themselves).
So, it's no surprise that SplashData's annual list of commonly used passwords still contains strings of characters and letters that even the most basic hackers could figure out and use against you.
SplashData estimates almost 10 per cent of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3 per cent of people have used the worst password, 123456. Ouch.
Its list is from the 5 million plus passwords leaked in 2018 presumably from companies such as Yahoo, Starwood, and others passwords like "123456789", "monkey", and "qwerty" all made an appearance in the top 25 worst passwords found.
Perhaps an ode to the current US President, "donald" featured on the list for the first time at number 23.
The full list of worst passwords:
Many companies have stepped up their efforts to ensure we use strong passwords. Apple automatically now suggests "strong passwords" when any form prompts you to create one, while Microsoft offers several tips on how to choose safe passwords too. It says that a good password should be eight or more characters long, not be your user name, real name, or company name, and, in fact, not contain a complete word at all. It should also be different to passwords used elsewhere and contain at least one each of the following: an upper-case letter, a lower-case letter, a number and a symbol (such as £ or $).
Apps to protect your passwords
Now we've cleared that up, let us run you through a couple of the best we've found to help keep account hackers at bay.
This is a password manager. It remembers all your passwords for you, lets you generate passwords, and easily signs you into sites and apps.
Try it now: 1Password
LastPass is available across the vast majority of internet browsers and mobile devices, and can be used on both Windows and Mac. It's installed as an extension in your browser and appears as a button in the browser toolbar so you can quickly and easily manage your LastPass account.
While it will remember all your passwords for all your accounts, it does require you remember just one master password to login with, which shouldn't be too hard at all. You'll want to make this password as strong as you can, to prevent anyone from hacking in and stealing all your other passwords.
You save passwords to your 'vault', and you can either add them manually or get LastPass to save them automatically the next time you login to a particular site or service.
If you want to change one of your current passwords to something different, you can, and LastPass can generate a random sequence of letters and numbers to make your account extra secure. And of course, you won't need to worry about remembering the tricky sequence as LastPass will do that for you.
You can download the mobile app to your device as well, and all your saved passwords will sync across, just as long as you remember that all-important master password. While it will remember passwords for any websites you visit on your mobile device, you'll need to pay a small monthly fee for it to remember passwords for your applications.
You don't just have to save account passwords in LastPass though, as it can also be a place to store notes, Wi-Fi passwords or details of your driving license and you can save your debit and credit card details so you can autofill them in when you go to buy something online.
KeePass is a free-to-download, open-source password manager for Windows. You can install it on Linux and Mac computers, but you'll need to run it through Mono, which lets you install Microsoft applications on different platforms.
KeePass works much in the same way as LastPass by storing usernames and passwords for different accounts in a database as encrypted files. You can also store notes and other file attachments.
The database of passwords is secured by a master password, key files and/or the current Windows account details, and everything is stored locally on your computer as opposed to in the cloud.
KeePass has a password generator to come up with super secure passwords to use for your different accounts and it supports a vast number of plug-ins, all of which can be seen on KeePass's website.
Because of the slightly more difficult way to install KeePass on Mac and Linux-based systems, we'd say it's only really a worthy contender for Windows users.
Dashlane works in a very similar way to LastPass. It works across various browsers and mobile devices, and can generate passwords with up to 28 characters to make them virtually impossible to bypass. Dashlane will monitor the passwords you have saved for all your accounts, and will instantly let you know if any of your accounts are compromised.
When you first install Dashlane, it will scan the history of any internet browsers you have installed and check for any saved passwords. Whatever it finds it can then import. It's a really handy way to get all your passwords saved instantly, instead of having to remember where you have accounts or manually saving them each time you login to a new website.
When you login to Dashlane, you'll need to enter your email address and then a security code that is sent to that email. Once you've put that in, you'll then be asked for your master password.
If any of your saved passwords are old and in need of a refresh, Dashlane can do so at the click of a button. Simply select the passwords you wish to change, press 'change' and they'll be updated and saved with new ones. It can also tell you how safe your current passwords are, in this case of this writer, the passwords could definitely do with an update.
Unlike LastPass however, Dashlane can't store passwords for applications on your mobile devices.
There is a Premium tier of Dashlane which gives you unlimited password syncing across all your devices, gives you a secure and encrypted backup of your account in the cloud and allows you to login to your Dashlane account from any web browser.
Sticky Password is another browser tool that stores your password behind a master password key but can also rely on fingerprint authentication to log you into your account. It's supported across several platforms including iOS, Windows, Mac and Android, and has extensive browser support.
The free tier doesn't let you sync data across your devices, that benefit is reserved for the Premium tier. With it, you can sync your password data to your devices via local Wi-Fi or via the cloud, you can also save an encrypted backup of your passwords to the cloud if you wish.
If you pay for the Premium tier, a portion of the money goes to help support endangered manatees, so you'll be doing some good, along with keeping your accounts safe.
We prefer the interface of LastPass and Dashlane, but Sticky Password is still easy and simple to use and is a great option for storing all your passwords in one place.
Great general tips for keeping your passwords safe
We have so many accounts for various sites these days and whether it be social media, shopping or email, there seem to be more and more passwords to remember.
These passwords are so important as they protect a significant amount of information about you that you wouldn't want getting into the wrong hands so here are a few tips on making your passwords more secure.
Use different passwords
While it is difficult to remember one password, let alone 10, it is worth trying to anyway as it's better to make sure all your passwords aren't the same.
Create a system that you can easily remember and that uses a base password but adds an element for the site in question, such as PasswordTwitter.
Don't write your passwords down
It's tempting to write your passwords down, especially when you have different ones for different accounts, remembering them all can be a minefield but don't do this.
Chances are you have several bits of paper near you with various passwords on them, which if you do, you should get rid of them. Equally, if you have them on an email, or auto-saved then make sure you have a locked screensaver on your computer so if your computer was stolen, you haven't offered all of your passwords to the thieves.
Make it hard to guess
Ideally, your passwords should be more than 8 characters long and use a combination of letters and numbers. There are some sites that force this, while others don't but it's worth using it as a rule of thumb anyway.
You could try spelling out a word and replace the vowels with numbers, take a phrase and use the first letter of each word to create a password or remove some letters from a word such as Facebook.
Other tips for making passwords harder to guess include adding random punctuation, misspell your word, use two or more words by adding an underscore or hyphen in between or use a really long word.
Don't give it out
Not giving it out might seem obvious but that doesn't stop people ignoring this golden rule. You might just be giving it to your partner or friend, asking them to check your email, or you could be passing it on to a colleague for one reason or another.
Whatever the reason, it isn't a good enough one. Passwords should be kept to yourself no matter what.
Change your password regularly
While you should never change your password based on a request from an email or website, it is worth making sure you change your passwords on a regular basis.
One tip for doing this but making sure you remember what you have changed it to is to add an element to your current password that loops every 12 months or has a theme.
For example, you could do something like Password1 for January and Password12 for December, and if you change them out of sequence, it will improve the strength of your password.
Keep tabs on your data
As well as ensuring you have a secure password in place and that you're not accidentally leaving yourself exposed, it's worth keeping tabs on your data too.
You can use this system to keep a track on your email addresses. "Have I been pwned" is a free notification service which will alert you if data linked to your email address(es) is hacked and leaked online. This can be useful for keeping your accounts secured and updating your passwords if necessary.
Use two-factor authentication
Many services, apps and smart home devices offer two-factor authentication (also known as two-step) which requires you to input an extra code when you log in. This isn't the same as a password, but is a randomly generated one-time code that's either sent to your mobile phone via text message or via an app like Google Authenticator.
- What is two-factor authentication and why should you use it? Plus how to enable for Apple, Google, Facebook, Twitter and more
This sort of system offers an extra layer of security above and beyond a secure password that can make all the difference.
Recent reports show the dangers of not using two-factor authentication where things like smart home security cameras have been hacked giving a terrifying view of people's homes and an invasion of privacy to nefarious parties.
You can use two-factor authentication with all sorts of things, including email itself if you're using Gmail for example. We can't recommend this protection enough.