All I’d need to know to guess one of your end users’ passwords is the name of every person important to them, how frequently they use profanity, their favorite pop culture franchises, any sports teams they like, and their favorite vehicle. Where did I get this information, you ask? It’s a trend I’ve noticed on the list of top 10,000 most easily guessed passwords. More specifically, the top 200 list of them. I just analyzed this list in a way that an IT professional would not—all to help you stay ahead of the curve and keep your end users safe.
There were originally five categories I created when I looked at the words from the Top 200 most easily guessed passwords: Vehicles, People’s Names, Sports, Pop Culture, and Vulgarities. These are based on important people and things in the end user’s life, so they are easy to remember. Unfortunately, end users may also not care and set their passwords to vulgar phrases or words relating to computers and passwords. There’s a certain magnetic draw these specific types of passwords have: “The password ‘access denied’ is the funniest one ever, I am so hilarious!” or “My password is so vulgar, you couldn’t possibly have the guts to try to guess it!” What these people don’t realize is how many other people with computers have also had these same thoughts... and set their passwords accordingly.
As I kept reading this list, all the way to 1100 and beyond, another trend kept pinging my linguistic radar. I estimated that at least half of all these passwords which were actual words, were trochees. According to Randall Munroe’s webcomic, a trochee is a two-syllable word with a stress on the first syllable. A great example of a trochee is #1 on the Most Easily Guessed Passwords list: “password.” Number 53, “access,” is also a good one. I got even more curious about this trend and took a sample of the top 200 passwords, ruling out strings of keyboard letters, strings of numbers, and number/letter combinations to define “words.” That left me with a whopping total of 177 words!
More than 76% of words on the top 200 list were trochees and only 23% were non-trochees. That means trochees make up 68% of the top 200 most common passwords! People are the most likely to make their password a trochee out of every other possible keyboard combination. So what does this mean for IT Professionals? You likely already have security measures in place, but here are 3 password guidelines you could use to make sure your trochee-happy end users don’t get hacked:
- Create a passphrase instead which involves your trochee of choice. For college students, this is the password version of “Use the vocabulary word in a sentence” problems from grade school. The reward for a good job is having an easy-to-remember password.
- Use multi-factor authentication. A second layer of authentication protects end users where their trochee passwords don’t.
- Change passwords every year. Making people change their passwords is about as easy as herding cats: they all want to do their own thing. Encouraging them to change it more frequently than that, like every month, is just not going to fly. Once a year is the best you can aim for.
Thank you for reading about why you should create more complex passwords. If you liked this post, remember to subscribe to our blog on the bottom right for more in Authentication Security!