Take a couple of minutes to watch this video in which Edward Snowden talks about passwords.
Like him or not, when Mr. Snowden advises on things related to security, people tend to listen. John Oliver (who revealed that his password (singular, suggesting that he's reusing it) at the time was only five characters long) certainly listened, but in the end, he said "Now, you're right, okay? I get it. I get how important it is. I fully understand that. The problem is, I'm not gonna do it."
So, what is it that makes people so reluctant to create strong passwords? We already know that for years, users have been protecting sensitive information online with extremely simple and easy to guess words. Why do they do it? Before we get to that, let's take a closer look at a few awful practices people employ when creating a password.
1. Using personal information
Users are lazy. And don't pretend to be offended by this, because you know it's true. When it comes to creating passwords, they tend not to put too much effort into it, and instead prefer to use something simple like the name or birthday of a relative or a pet. Favorite sports teams and words related to hobbies are alarmingly common as well, and back in the days when information about regular users wasn't so easily accessible, this wasn't such a horrible strategy. Nowadays, however, hackers can learn a lot about you just by visiting your Facebook profile. And don't think that your absence from social media can save you because it can't. There's a ton of data about you online, and there's little (if anything) you can do to control who has access to it. Using the name of your pet or your wedding anniversary as your password just isn't the right thing to do. Speaking of which, here's the next awful password creation strategy
2. Using keyboard patterns
So, you're sitting there, trying to create a password, and you think that the only way to outsmart the cybercrooks is not to use a word, but something that has no meaning. You also want it to be easy to type, though. So, here are some of your obvious choices:
If you think that you're the first person to ever think of this workaround, you'd be wrong. In fact, some of the patterns you see above regularly appear in the list of the most common passwords, and during password dictionary attacks, they're among the first hackers will try out.
3. Taking security advice literally
In the video you see above, Edward Snowden says that "margaretthatcheris110%SEXY" is a good password to use. A few years ago, xkcd, a popular web comic, told people of the Internet that "correcthorsebatterystaple" is a good password to use. Indeed, put both of them into any password strength meter (with a few exceptions), and you'll see that they are indeed very strong. But does that mean you should use them?
No, you should actually avoid them like the plague. The fact that they've been given out as examples of good passwords means that someone out there is using them. And this, in turn, means that they will be used in dictionary attacks. So, when you hear advice on how to create a password, don't use the examples, use the mechanism and create your own unique passwords.
4. Reusing passwords
So, you know what a strong password is, and you're willing to put the time and effort into creating one. You make it fairly long, you include both uppercase and lowercase letters, and you sprinkle it with a few @s, #s, !s, $s. After making sure that there's no one watching over your shoulder, you open Notepad and type it out a few dozen times to memorize it. You're feeling good about yourself, and you should be. Then, however, you go on and put your brand new complex password on all your accounts.
This means that when a discussion board you registered to a while ago gets compromised, miscreants can steal your complicated password and use it to hack their way into anything from your online banking account to your email. They can basically ruin your online life.
The rampant password reuse witnessed by researchers shows that not a whole lot of people understand this. Or do they?
We're going back to the original question: Why do users engage in awful practices when it comes creating passwords?
According to a survey Kaspersky conducted in 2013 (link: https://www.kaspersky.com/blog/infographic-password-protection/1446/), more than 70% of the users rely on their brains to remember their passwords. Your brain is certainly capable of remembering many simple passwords. It's also more than able to remember a few complex passwords. Unfortunately, when it comes to remembering many complex passwords, it's most likely not up to the job. So, what are the alternatives?
9% of the participants in the same Kaspersky survey said that they're keeping their passwords on sticky notes stuck to their monitor. 12% admitted that they store their login credentials in their phones, 13% said that their computer is hosting the valuable information, while around 1 in 4 people use the good old pen and paper. All of these options could pose a security risk under certain circumstances. In fact, there is no silver bullet, but all experts agree that the best option both in terms of security and convenience is a password manager.
A password manager stores your passwords in encrypted format and protects them with a master password that only you know. When you're creating a new password or updating an old one, a dedicated password management application can also generate a strong password for you, and since it is the one storing it, you won't need to remember it.