Passwords that protect nothing

Young woman working on a laptop near a window, with a glass of orange juice and a plate of pastries in the background.

Passwords serve as the frontline defence in protecting our data and digital identities. They act as virtual keys to online accounts and prevent unauthorised access. Creating strong, unique passwords that are complex is crucial as it makes it increasingly difficult for cybercriminals to guess or use software to hack. But when it comes to passwords, for convenience, many keep simple and easy-to-remember passwords that can be recalled at the drop of a hat without using too much brainpower. However, that means they're easy to guess and even easier to hack.

So, just what is the most common password globally? Well, according to data from Nordpass that would be the classic ‘123456'. Over 40 countries in the world use this as their main password. The people of Russia gravitate towards this one with a whopping 19,000,630 users. China and Germany take second and third place with 8,159,358 and 2,269,847 people using the number password respectively. The UK is no better though. We feature eighth on the list with a concerning 571,107 people using ‘123456' to protect their personal data. Unsurprisingly, this password would take 0 seconds for a hacker using software to crack, which is seriously concerning for people across the world.

Diving deep into the top most used passwords in the UK, there are some interesting options out there. Joining '123456' for commonplace, generic, and easy-to-guess passwords is ‘password' in second place, with 423,192 user counts. ‘Qwerty' is an honourable mention in seventh place with 145,626 user counts. While these may be easy to remember, the lack of creativity and sophistication provides very little protection against hackers who have malicious intentions for your personal data and funds.

When they say a password should be something that you can easily recall but important to you, it turns out football clubs spring to mind first. Three out of 10 of the most used passwords are football clubs with ‘Liverpool' taking third place, ‘Liverpool1' taking eighth place and ‘Arsenal' taking tenth. Again, these are easily guessable patterns and combinations, especially if you're vocal about your support in person and especially online, and they pose a significant risk to your digital security.

RankPasswordUser Count
1
123456 571,107
2
password 423,192
3
liverpool 224,160
4
password1 162,086
5
123456789 152,801
6
12345 151,914
7
qwerty 145,626
8
liverpool1 123,328
9
charlie 109,524
10
arsenal 107,899

Cracking the code to your data

Is there anything more frustrating than meticulously crafting a hard-to-crack password, ensuring it meets all the criteria - eight characters, including numbers and symbols - only to forget it a few weeks later and have to start the whole process again? Falling victim to a hacking incident where money and personal data are stolen for identity fraud is painful. Not only can it wreak havoc on your personal finances, but it can also deal a significant blow to your business's reputation, signalling a lack of trustworthiness with sensitive data which can lose you both new and existing customers. That's why it's imperative to prioritise good password hygiene habits.

Consider using unique passwords or, better yet, passphrases—longer and easier to remember. After all, "MyCatIsSoCool!33" is far more memorable than "X4crz1J8k." Additionally, make it a habit to update passwords regularly, aiming for every six months, to maintain the integrity of your digital security.

While it may not seem like it at the time, it's important to put some serious thought into your passwords. According to recent data from HiveSystems.io, the time it takes for cybercriminals to use generative AI hardware to brute force passwords based on their length and complexity is shockingly little. For instance, the table below shows that shorter passwords can be broken instantly. Only when you hit passwords at 10 characters long with a mix of upper- and lower- case letters does it start taking some time, and that's only 4 seconds. Longer and more complex passwords provide significantly stronger defences against brute force attacks. In fact, even a 16-character password (or more likely passphrase) that uses a mix of numbers, upper- and lower-case letters and symbols will take 16 million years for cybercriminals to hack. So, just a few small changes could provide ample protection for your business against those with malicious intent.

Using generative AI hardware to brute force your password in 2023

Number of charactersNumbers onlyLowercase lettersUpper and lowercase lettersNumbers, upper and lowercaseNumbers, upper and lowercase
4 Instantly Instantly Instantly Instantly Instantly
5 Instantly Instantly Instantly Instantly Instantly
6 Instantly Instantly Instantly Instantly Instantly
7 Instantly Instantly Instantly Instantly Instantly
8 Instantly Instantly Instantly Instantly 1 sec
9 Instantly Instantly 4 secs 21 secs 1 min
10 Instantly Instantly 4 mins 22 mins 1 hour
11 Instantly 6 secs 3 hours 22 hours 4 days
12 Instantly 2 mins 7 days 2 months 8 months
13 Instantly 1 hour 1 year 10 years 47 years
14 Instantly 1 day 52 years 608 years 3000 years
15 2 secs 4 weeks 2000 years 37k years 232k years
16 15 secs 2 years 140k years 2 million years 16 million years
17 3 mins 65 years 7 million years 144 million 1 billion years
18 26 mins 1000 378 million 8 billion years 79 billion years

As technology continues to advance and cyber threats evolve, individuals and businesses must remain vigilant and proactive in mitigating risks and protecting against potential vulnerabilities. By implementing robust cybersecurity measures and understanding the significance of good cybersecurity practices, like implementing strong password hygiene habits and enabling multi- factor authentication, you can strengthen your defences against cyber-attacks and minimise the devastating impact of potential breaches. Which, in turn, can prevent untold issues when it comes to running your business. But even with good cybersecurity, hackers can still get through or employees can fall for scams, which is why it's recommended that businesses have professional indemnity insurance.

Markel Direct are leading providers of business insurance, specialising in insurance for the self-employed and for SMEs. Make sure your business is protected by getting a tailored business insurance quote today.
Methodology

© Markel Direct 2024 | Privacy Policy | Terms of Use | Acceptable Use Policy | Cookies Statement | Sitemap | Modern Slavery Statement

Cookie Settings

Markel Direct is a trading name of Markel International Insurance Company Limited who is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority (Financial Services Register reference number 202570). Registered office address, 20 Fenchurch Street, London EC3M 3AZ.