Want to know why your “random” password might just be w0rthle$$ ru66i5H?

Think that your cleverly twisted password is keeping your data safe and secure? You might need to think again. A huge investigation into over 15 million passwords, published this week, has revealed that not only are the vast majority of people using the same tricks – but that hackers already know these tricks inside out.

Carried out by hosting platform WP Engine, their investigation analyzed passwords from two major sources. The first was login details for five million email accounts, mostly consisting of Gmail, leaked on a Russian bitcoin forum in September. The second was a list of 10 million leaked user names and passwords – most of them no longer active – collected by security consultant Mark Burnett as a project to improve security. The result? Some fascinating insights into the password habits of 15 million people – from CEOs to scientists. And some lessons we can all learn…

  1. Don’t let your fingers do the talking

The biggest revelation was that people were using the same seemingly random strings of characters, which suggested those passwords weren’t random at all. For example: “qaz2ws” or “adgjmptw”. Both may appear secure, but they are actually among the most commonly used passwords – which means they’re not safe at all. WP Engine analysts found that the first is from the two leading diagonal columns on a keyboard. Adgjmptw, meanwhile, is the 20th most common keyboard pattern found – and it is produced by pushing the numbers 2 through to 9 on an alphanumeric keypad. So beware: password crackers such as Passpat use keyboard layouts and clever algorithms to measure the likelihood that a password is made from a keyboard pattern. You can see examples of these here.

  1. Avoid the number 1

Adding a number or two at the end of a text phrase may be the easy option – but it is also by far the most common trick. And, as it can easily be broken by malicious bots and brute-force attacks, totally insecure. Analysts found that almost half a million passwords did this — and in 20 per cent of those all people did was put the numeral “1” at the end.

  1. Keep it random – stay away from a “base phrase”

Passwords which are alphanumeric and use case sensitive characters certainly make for a stronger code, however a password requires one more thing for it to at its most secure…it needs to be RANDOM.

Analysts found that even supposedly sophisticated passwords which used common phrases – so for example changing the word “password”, the base phrase, to Pa55w0rd – where still relatively easy for purpose-built password-breaking software to guess it. Software like HashCat, for instance, can take 300,000 guesses at your password a second starting with the most probable ones. Even passwords using a combination of upper and lower case letters and numbers will be vulnerable to attacks like this, if they are not randomly generated.

  1. Don’t show your love

WP Engine found that people born in the 1980s and 1990s were more likely to use the word “love” in a password – analysts found it 40,000 separate times in the 10 million passwords and a lot in the 5 million Gmail credentials too. Notably, women used it twice as much as men. Although happily – if not securely – “iloveyou” appeared ten times as often as “iloveme”.

  1. Build your entropy

In simple terms, the more entropy a password has, the more difficult it is to guess or hack. Your level of entropy increases the longer you make your password, and the greater variation of characters that you include. Analysts found that the average Gmail password was just eight characters long, with an entropy score of only 21.6 out of 100 – a score of over 60 is deemed sufficient to deter hackers or password cracking software – so most of clearly have a way to go before we can say our passwords are up to scratch.