It does. And don’t even try to pretend it doesn’t. It's nothing personal. Look around you. All those people? Their passwords suck too. So do mine. So consider this an intervention.
Because it’s obvious
No matter how many times you’ve been warned not to, you probably use your:
- Pet’s name, mother’s name, maiden name, or
- Favorite team, movie, book, song, quote, or
- Date of birth, graduation, child’s birth
- Social Security Number
- One of these champions
- Any of the above with a date or PIN tacked on the end
Or one of a million other obvious choices that are easily searchable on Google.
Because your security question probably gives it away
Yeah, I know. Security questions for resetting passwords suck worse than passwords themselves.
But it doesn’t help that you try to use them as reminders and make your password the answer to “What is your favorite pet’s name?”
There is a better way to reset a forgotten password, and it doesn’t involve just giving it away in your security questions: just set up a master email account that you use only to retrieve passwords.
(And yeah, you're going to want to make sure its password also doesn't suck).
Because you think your password patterns are clever
Stop me if you’ve tried one of these before:
- Stringing along the keys of a keyboard:
- Horizontally: qwertyuiop, asdfdghjkl, 1234567
- Vertically: 1qaz2wsx, 6yhn7ujm
- Shifting your typing one key to the left or right:
- Instead of secret, you get awxewr
- Capitalizing the first letter of every word
- Capitalizing everything:
- GOD FORBID
- Substituting letters with numbers or symbols
- @l50 707@LLY 0R1G1N@L 7H1NK1NG
All these little tricks you use to create randomness? Hate to break it to you, but they only create the illusion of randomness.
Hackers already know them, and they’ve programmed their cracking tools to look for them automatically. They even program them to start hacks with these sequences.
Because it’s short
Even with all those tricks, you’re probably not applying the most important thing about a good password: it is long.
Like 20+ characters long.
Hackers laugh at less.
Because you're using words & sentences
And when you do make your password long, it’s because you string together words. Words than can be found in a dictionary. Dictionaries than can be cycled through by a computer faster than I can write this sentence.
There are an estimated 1,025,000 words in the English language. Do you know how large a text file containing all of those would be? Around 9 MB.
The smartphone you had in 2009 won't sweat crunching those numbers.
To make passwords easier to remember, you also likely have them as a sentence. But this reduces the variables a hacker needs to look for because grammar’s logic is working against you.
Because you’re using it for several accounts
And don’t pretend that you’re not.
At least 55% of you are reusing passwords across different services, and a quarter of you use just one for everything.
Your email, your social media account, your bank account, your taxes … hell, even that one time you needed to sign up to useless.com just to see the cute cat pics your friend linked you to on Facebook.
And since your password already sucks (see above), you’re actively making it suck even more.
Every. Single. Time. You use it for a throwaway account.
And you’re not just making it easier for criminals to go on a shopping spree of fraud and hacks. You’re actively making worse the passwords everyone else uses.
Because you’re not using a password manager
OK, maybe I was a little mean.
Those patterns you were playing with to make your password seem random a few paragraphs back — they don’t work, but at least your heart was in the right place.
There’s only so far you can take randomness without making it super difficult to remember. And we’re still talking just one password, not the army you need for the average of 26 accounts you likely have.
None of that’s really your fault: you’re only human, after all.
But not using the digital brains of a password manager to generate truly long, unique and random passwords, and have it remember all of them for you?
Now, that is your fault.
(And if you’re using your regular sucky password as a master password, then your password still sucks. Your master password deserves better.)
Because even if you are using a great password, you’re probably not using 2-factor authentication
So you’ve generated a dozen truly random passwords, and you followed our rules to make your master password wicked strong. Well done!
…and you knew this was coming...
…they all still suck because they’re still just passwords: a single method of proving—or authenticating—your identity.
No matter how you cut it, two is better than one. Whether you’re using codes sent to you via SMS text messages or an authenticating app, 2-Factor Authentication will make even the suckiest password better than all the above methods combined.
If you aren’t using 2-Factor Authentication, then you should. Now.