The password you should never use is “123456”: too weak and easy to hack, as revealed by the study of over 1 billion hacked credentials
The most used password and the easiest to hack? It is “123456”, at least in the last 5 years. The result emerges from the study conducted on more than 1 billion credentials stolen from corporate sites. The password 123456 is repeated every 142 times, so it has been used at least 7 million times by users.
So if you recognize yourself in this password, you should change it as soon as possible. To keep your account accesses safe, the advice is to choose one that is difficult to find. Especially if the accesses, as in the case of the data dump analyzed, concern your company accounts and those of your colleagues or employees, whose privacy is at risk. The ideal is to choose long passwords, containing letters, numbers and special characters, even better if not sequential.
Passwords, the most common not to use ever
The study published on GitHub was conducted by Ata Hakçıl, a Turkish computer engineering student at the University of Cyprus. The researcher analyzed the large sample to figure out which passwords were the weakest or most common, thus also the easiest for a hacker to breach. The sample consists of combinations of passwords and usernames that were collected by hackers after breaching company sites. These are data dumps that have been online for over 5 years and have accumulated as other companies were hacked.
The most surprising finding is that for over 393 million different usernames, just under 169 million passwords are found in the sample. A figure that implies a high rate of repetition and therefore frequent use of passwords that are all too common. In particular, there is one that alone is repeated 7 million times in the sample and it is the simple and weak string of sequential numbers “123456”.
Another result highlighted by the study is that the average length of passwords is around 9.48 characters. A length that can’t be considered good, since security experts recommend keeping lengths of at least 16 characters, but not even bad when compared to the most common one, which has just 6 characters.
Another very common problem is the lack of complexity: only 12% of the analyzed passwords contain a special character. In 29% of cases users choose passwords made of letters only, while in 13% of cases they are made of numbers only. 26% of the passwords in the sample, then, contain only lowercase characters.
There is then a tendency to end passwords with a number, as it happens in 34% of cases, but only in 4.5% users use a number at the beginning. In conclusione, il 42% di tutte le password incluse nel campione è vulnerabile ad attacchi hacker perché troppo comune, oltre che troppo debole.
Come scegliere una password sicura
Se rientrate tra quegli utenti che scelgono password fin troppo semplici e comuni, i vostri account sono a rischio. Un qualsiasi hacker potrebbe infatti entrare e rubare le vostre credenziali senza particolari sforzi e difficoltà. La buona notizia è che rimediare è semplice, basta seguire alcune semplici indicazioni che vi riportiamo per una password che sia il più possibile sicura:
- la lunghezza ideale di una password è tra i 16 e i 24 caratteri, ma già dai 10 caratteri in su si può ottenere un buon risultato e soprattutto facile da ricordare;
- utilizzare e alternare lettere, numeri, caratteri speciali, maiuscolo e minuscolo;
- non utilizzare sequenze di numeri o parole che abbiano un senso compiuto, perché più facili da individuare;
- iniziare la password con un numero.
Hacked passwords: where to find them and why they’re useful
Dumps of data from passwords hacked by hackers have been found online for years, and the sample gets larger and larger over time as new stolen credentials are added. This data is easy to find on the internet, for example on sites like GitHub and GitLab, or even on hacking forums or file-sharing portals.
To check if your email has been hacked there are also online sites that collect the various data breaches posted online. One of the most famous and used websites is https://haveibeenpwned.com. Using it is very simple: just log in to the site, enter your email address and find out if it has been hacked
Benefiting from sharing data dumps, however, are not only hackers but also large IT companies. Google, Microsoft and Apple for example have collected the hacked credentials and used them to improve suggestions to their users to guide them in choosing a password that is as secure as possible, sending an alert message to the user who create a password considered weak.