Some years ago Nicolas Cage starred in a movie titled, “Gone in Sixty Seconds.” Cage played Memphis Raines, a retired master car thief who is forced to return to the car theft business. The title offers some insight into how long it takes Memphis Raines to boost a car. Memphis was a master at stealing cars, but he’d have to improve his time to get into the password hacking business.

SplashData just produced its annual list of worst passwords, and not surprisingly, the two most commonly used passwords are “password” and the ever popular “123456,” I say not surprisingly, because the same passwords have been at the top of the list of worst passwords year in and year out. Apparently, some significant numbers of people believe they are impervious to attack, or are unlikely to be victimized and are willing to accept the risk, or, for some reason, the possibility of being compromised never even occurs to them.

Of course, there are people who see the folly of simply using password, or 123456, so they go the extra inch. SplashData’s sixth annual Worst Passwords report, which is compiled from more than five million passwords leaked during the year, indicates there are three variations of “password” regularly used by people, including “passw0rd” and “password1.” People also throw off would-be attackers by throwing in additional digits, so they use “123456,” or “1234567.” Shockingly, those sophisticated upgrades do not always work.

According to Morgan Slain, CEO of SplashData, Inc., “Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies. Our hope is that by researching and putting out this list each year, people will realize how risky it is to use these common logins, and they will take steps to strengthen their passwords and use different passwords for different websites.”

Even the best of passwords may not withstand determined attack. But simpler forms of passwords take no time at all. If you are curious, there are several sites that allow a person to check the relative strength of a password. One interesting exercise is to go to Random ize and try out a password. The site calculates the time it would take to crack your password assuming the hacker is using a brute force attack method, which is simply trying every possible combination there could be. Note this is not the fastest method of cracking a password, but it is, well, brutally effective.

For those of you who put the time and effort into developing and using a variety of sophisticated passwords, it’s an imperfect solution but far superior to the baseline alternative. For the rest of us, two words—multi-factor authentication.

By Tom Davis, SDI Cyber Risk Practice

February 7, 2017