At a time when personal information and cybersecurity has been high on the agenda, after millions of pieces of personal data was exposed in the Optus hack, it’s concerning to learn that thousands of Australians are still risking their own data by using the password ‘123456’.
That password has topped the list of most commonly used passwords in findings published by software-as-a-service provider NordPass.
In collaboration with independent cybersecurity researchers evaluating a four terabyte database, the company found 123456 was the mostly commonly used password in the world, with over 100 million instances of its use.
It’s also the most used in Australia – across more than 300,000 instances.
Ranking second down under was ‘password’ – perhaps the most obvious entry a person could devise, with nearly 200,000 uses.
It would take a hacker less than a second to crack these passwords.
Ranked third was ‘lizottes’ – the name of a popular restaurant in Newcastle. It’s used by nearly a hundred thousand accounts.
Read more: Quantum entanglement can be used to encrypt messages
In contrast to the leading password selections, Nordpass estimates it would take three hours to crack this entry.
Earlier this year, cybersecurity firm Hive Systems released updated tables on estimated ‘crack’ times – how long it would take a hacker to break a password – showing a password like ‘lizottes’ would take just three seconds to break, or instantaneously if high-performance computing technology was used.
People, says UQ Cyber research officer Joshua Scarsbrook, pick simple passwords because they want to reduce the barrier to entry.
“We often see password prompts as a barrier to entry to the systems that we’re trying to work with,” Scarsbrook.
“If we have a password like, say, a 16, or 32, character long passphrase, then it’s going to take some time to type that out.
“So people use shorter passwords that are simpler and easier for them to remember.”
But that leaves individuals vulnerable to being hacked.
How can hackers break passwords so quickly?
By cracking a hash.
A hash is a long, complex series of characters that corresponds to a text-based password. It’s created by hashing software to store your password in a server.
While you type your password in, this software outputs it as a hash, this makes it difficult to know, on first glance, what a password might be.
A hash might look like this:
e10adc3949ba59abbe56e057f20f883e
You probably can’t guess the password by looking at that, can you?
It’s 123456, as hashed using a cryptographic protocol called MD5.
The fact we know this hash corresponds to the world’s most commonly used password should not be comforting, and it isn’t, because MD5 has been cracked – the equivalent of thieves in heist films knowing exactly how to break open a safe.
The Top 10 most used passwords in Australia, and how many use them
| Rank | Password | Time to crack it | Count |
|---|---|---|---|
| 1 | 123456 | <1 second | 308,483 |
| 2 | password | <1 second | 191,880 |
| 3 | lizottes | 3 hours | 98,220 |
| 4 | password1 | <1 second | 86,884 |
| 5 | 123456789 | <1 second | 75,856 |
| 6 | 12345 | <1 second | 69,434 |
| 7 | abc123 | <1 second | 68,434 |
| 8 | qwerty | <1 second | 67,130 |
| 9 | 12345678 | <1 second | 37,675 |
| 10 | holden | 2 minutes | 30,844 |
Hackers crack hashes by working out the combinations of inputs on your keyboard – letters, numbers and non-alphanumeric characters – and hashing them. These are used to create lists of these combinations which are then run against stolen password hashes.
Eventually, a hacker could work out exactly how to ‘brute force’ your password. If this conjures up the image of a computer whizz repeatedly trying to guess your combination in hope of getting it correct, you’d be right.
“There are two different kinds of password brute forcing,” explains Scarsbrook.
“There’s an online password brute force where your computer is actually interacting with a website and effectively trying to log into a website or computer system thousands and thousands of times.
“Then there’s the more offline password brute forcing where the hacker has some hash or other cryptographic signature of the password that they’re attempting to reverse into plain text form.
“In the case of cracking websites, that can be pretty slow, but with the Nordpass examples, specifically, they would be referring to the amount of time it takes for a computer to actually crack the password offline based on a hash.”
Brute forcing, is made much easier by having known hashes to compute possible password combinations.
Hive Systems suggests a password containing up to 11 numbers only is instantly breakable.
11 lowercase letters, on the other hand, might take two hours.
A combination of 11 lower and upper case letters would take five months. Throw some numbers into that mix and it would take three years. Add a @, # or $ in place of a letter, and it’s a 34-year proposition.
Ben Cornish is the director of McGrathNicol, a specialist advisory firm that consults to the government and private sector on risk and cybersecurity. He says that when it comes to data, people and businesses need to care for it like they would gold.
“Personally Identifiable Information or PII is probably one of the most valuable commodities out there these days,” Cornish says.
“They say data is the new gold and PII is a key part of that as well.
“The scary thing is people are probably using the [same] password across multiple registrations, sites and applications, which now that this information is out – the username and a password – that obviously means anything that is using that that combination of username and password is now vulnerable to hackers.”
How quickly can your password be brute forced?
| Characters | Numbers Only | Lowercase letters | Upper and lowercase | Numbers, upper and lowercase | Numbers, upper and lowercase, symbols |
|---|---|---|---|---|---|
| 4 | Instantly | Instantly | Instantly | Instantly | Instantly |
| 5 | Instantly | Instantly | Instantly | Instantly | Instantly |
| 6 | Instantly | Instantly | Instantly | Instantly | Instantly |
| 7 | Instantly | Instantly | 2 seconds | 7 secs | 31 secs |
| 8 | Instantly | Instantly | 2 minutes | 7 mins | 39 mins |
| 9 | Instantly | 10 ses | 1 hour | 7 hours | 2 days |
| 10 | Instantly | 4 min | 3 days | 3 weeks | 5 months |
| 11 | Instantly | 2 hours | 5 months | 3 yrs | 34 yrs |
| 12 | 2 secs | 2 days | 24 yrs | 200 yrs | 3k yrs |
| 13 | 19 sec | 2 months | 1k yrs | 12k yrs | 202k yrs |
| 14 | 3 mins | 4 yrs | 64k yrs | 750k yrs | 16m yrs |
| 15 | 32 mins | 100 yrs | 3m yrs | 46m yrs | 1bn yrs |
| 16 | 5 hrs | 3k yrs | 173m yrs | 3bn yrs | 92bn yrs |
| 17 | 2 days | 69k yrs | 9bn yrs | 179bn yrs | 7tn yrs |
| 18 | 3 weeks | 2m yrs | 467bn yrs | 11m yrs | 438tn yrs |
How can you protect yourself?
If the Hive Systems table is anything to go by, a complex password is a good first step – a lengthy mix of characters, numbers, and symbols.
Some people now use ‘passphrases.’
Rather than AcDc!99, you might go with !tsaL0ngWay2TheT0p.
That’s a crack time difference of around 438 trillion years – pretty good (although we’ve obviously published it now, so don’t use that one).
There are other security protections that are possible, such as two or multi-factor authentication. When set up, this might involve a notification sent to your smartphone or email with an input code.
Password manager applications are also solutions for creating and storing long, complex passwords.
But every year there are new instances of privacy breaches, there’s even a website that matches your data to publicly released hacking events.
That, says Cornish, means individuals need to be vigilant about what information they’re sharing – or signing up to – in the first place.
“It comes back to not putting too much information out there, not providing all your details to random questionnaires that you receive on Facebook or elsewhere,” Cornish says.
“And being really vigilant when people are asking for information or are asking you to give away information.
“Making sure that you’re monitoring unusual interactions or messages that you might receive via email, via text message, via phone call… monitoring your bank accounts for any unusual activity.”