Believe it or not, people still use some pretty abysmal passwords, including “123456”. Here is a general list of the top 5:

  • 123456any sequence of numbers, like 111111
  • password or variations like passw0rd
  • qwertysequences of keyboard characters
  • iloveyoua bunch of helpless romantics
  • dragondoes everyone like Game of Thrones?


It’s painful for me to know these obviously weak passwords are still being used. If you are using one of these, please change it now!

What is your password?

The average person has created an account in over 100 web-sites. Since it is nearly impossible to remember different password for every one of these sites, most people will simply reuse the same password or some variation of it.

Have you ever shared your password with a family member, friend, or coworker?

Everyone knows your password!

Even if you have never shared your password, it is fairly likely that your account has been breached from any one of the following web-sites:

  • Zynga (2019) — 218 million user accounts)
  • Marriott (2018, 2014 — 500 million customers)
  • Equifax (2017 — 148 million consumers)
  • LinkedIn (2016, 2012 — 165 million user accounts)
  • eBay (2014 — 145 million users)
  • Yahoo (2014, 2013 — 3 billion user accounts)
  • Adobe (2013 — 153 million user records)
  • source: CSO Online (April 17, 2020)

While it varies whether an actual password was leaked as a part of the breach, a lot of personally identifiable information was, including your e-mail. This makes it relatively for a hacker to phish for more information.

I recommend that you use to see if your password has been compromised. If your password has been leaked, then you must change it immediately!

Why use special characters?

Most sites (and your employer) will force you to use more complex passwords to ensure you (and they) are safe. Thus, your password is required to be a minimum of a certain number of characters (usually 8), but also contain a combination of upper and lower case letters, numbers, and/or special characters. Your employer and bank account will most like require you to change your password on a periodic basis as well.

This is supposed to encourage the creation of unique passwords that are not easily guessed. However, simply changing your old password to “P@ssw0rd” doesn’t really accomplish much, especially with the computing power that is available to hackers these days.

What should my password be?

“Passwords are hard for humans to remember, but easy for computers to guess”, as illustrated by the xkcd comic strip below:

It’s not enough to simply capitalize the first letter, append a number to the end (such as the current month/year), and be creative by replacing a few letters with characters, such as the letter O with the number 0, e with 3, s with $, etc.

Password crackers use a “dictionary attack” to literally take every known word in the dictionary and apply the known variants in order to find a password in just a few minutes. They can do the same with commonly used phrases for your favorite movie, song, and sports team, such as “Letsgochiefs!“. Though, it takes quite a bit longer.

Conversely, using multiple unrelated words, such as “correcthorsebatterystaple“, makes it exponentially harder for a computer to determine, especially when you combine it with mixed case, numbers, and special characters. Now your password is easy to remember, but difficult for a computer to guess.

Why not reuse the same password?

Web-sites that prompt you for a password will store that password in their database (or other means). If they implement proper security techniques, they will not store your actual password, but rather a “hash code” of it. In theory, it would be impossible to reverse engineer a password from a hash code. However, that is not entirely true and ultimately depends on how well they protect your data (using strong encryption techniques).

As pointed out earlier, some very well known web companies have been breached and you can find a pretty comprehensive list at

When your data (e-mail and password) is breached, it is provided on the dark web and available to any hacker who wants it. If the same (or similar) password is reused for all your online accounts, including you bank/credit card, don’t be surprised when you get an overdraft notice or charges for thousands of dollars.

Scared? You should be. However, before you delete your entire online presence and go off the grid, realize that security is simply a matter of managing your risk of exposure. Being aware of it is step 1, so congratulations. Doing something about it is step 2…

Use a password manager

Obviously, remembering unique passwords for hundreds of online accounts becomes nearly impossible. Thus, you need a password manager to help you manage all of them.

Dedicated software companies, such as 1Password, LastPass, Dashlane, Keeper, and others, specialize in keeping your passwords safe. Leaving this up to your browser isn’t the greatest choice and it may be a bit daunting to take the next step. However, you really can’t go wrong in choosing any one of them and I would recommend doing some research with the following in mind:

  • Business model; if the company providing the software isn’t getting paid, they probably won’t exist for very long. Most have free versions with limited capabilities that you can use indefinitely or on a trial basis to get started.
  • Features; Find what matters to you, such as multiple device support or ability to share passwords with others. Don’t be afraid to pay for the features you want.
  • Active development; Use highly rated software that continues to evolve and respond to security threats. Technology and vulnerabilities are constantly changing. Don’t forget to keep your software updated!

With a password manager, you can now start generating incredibly strong passwords like “rC#tC%7Pje^ZsT*f6K&3jOi1-Etf#j” that are nearly impossible to crack.

Use two-factor authentication

The final step in ensuring your online accounts are secure is to utilize two-factor authentication (or “2FA”). Not all web-sites offer this, but you should always take advantage of it when it is. You, like most others, have likely ignored it because you don’t know what it is or why it’s important, so let me describe how simple it is.

What is “two-factor authentication”?

In security terms, it is something you know and something you have. The ability for someone else to have both at the same time is almost impossible.

For example, you must know your password and you must have something physical, such as a mobile phone or security token (whether an “authenticator app” or physical piece of hardware).

Why is it more secure?

If I know your password (from the dark web or phished you for it) and try to log into your 2FA protected bank account, it would prompt you for a second form of authentication not me. Since you obviously were not attempting to log in at that point, you would simply ignore/reject the request and I would not be able to log in.

Additionally, you’ve been informed that your password was compromised and you can immediately change it.

It’s as simple as that.

Use two-factor authentication with strong, unique passwords!