Lax password security makes it too easy for cryptothieves to...

Lax password security makes it too easy for cryptothieves to get your data and break into your accounts. Credit: Getty Images/iStockphoto/SHipskyy


Seven in 10 Americans feel like they have too many different passwords to remember, according to a survey commissioned last year by password manager FastPass.

That’s one of the core reasons they often use easy to remember ones like 123456, 111111, Password and Iloveyou, all of which made a list recently released by Lookout of top 20 passwords being circulated on the dark web.

But while easy to remember, they’re also easy to crack, experts say.

“By using easy passwords, you’re making life easier for the bad guys,” says Hank Schless, senior manager of security solutions at San Francisco-based Lookout, a provider of security solutions for mobile devices and the cloud.  

The top 20 passwords Lookout released are the most frequently used passwords that appear on the dark web as a result of successful data breaches, he says.

Lookout released the list for the first time to alert both businesses and consumers to “never ever” use these passwords, Schless says.

That’s prudent considering the overall number of data compromises on websites that collect information from users — 1,862 in 2021 — was up more than 68% compared with 2020 and 23% over the previous all-time high in 2017, according to San Diego-based Identity Theft Resource Center (ITRC). About 15% of the system compromises last year were the result of a stolen password or login, says ITRC Chief Operating Officer James E. Lee. The data of about 293 million people were exposed in the United States.

He said passwords/logins info are a hot commodity.

Dark web marketplace

Consider a social security number on the dark web is worth $2 or less per adult, but a hacked Gmail account is worth about $80 per adult on the dark web because cybercriminals know if they get access to that account, there’s an 85% chance you’re using that same login or password on every account you have at home or work, he says.

“The problem is we have all the same passwords,” says Lee. “That’s because it’s impossible to remember them.”

But using the same passwords repeatedly gives hackers easy access to multiple accounts. If they get access to a user name/password, they can then run automated scripts scouring “tens of hundreds of thousands of websites” trying these passwords and seeing how many accounts they can get into, says Schless.

The more complex the password the harder it is to crack, but also harder to remember.

That’s why Schless recommends using a password manager. These not only safely store your passwords, but also generate strong passwords for you.

David Antar, President of A+ Technology & Security, with the...

David Antar, President of A+ Technology & Security, with the Halo Smart Sensor inside their headquarters in Bay Shore. Credit: Newsday/Steve Pfost

David Antar, president of Bay Shore-based A+ Technology & Security Solutions Inc., which specializes in information technology, audio visual and security solutions, has over 700 passwords between business and personal accounts. He uses password manager SplashID, which stores his passwords in an encrypted cloud-based system.

The cybersecurity two-step

“No matter where I am, I have access to these passwords,” says Antar, who set up a corporate policy at his own firm mandating employees use more complex passwords.

This includes having to create a password with a minimum of eight to 10 characters and requiring a mix of numbers and symbols, he says. The firm also uses two-factor authentication for logging into company systems so staff has to enter a password plus a unique code that’s texted to them.

In addition, Antar uses Google Chrome’s password manager.

Danny Aponte, managing director of Intelligent CloudCare in Hauppauge, an IT and cybersecurity solutions provider, also recommends using a password manager, but for those reluctant to do so, he suggests a technique where you’d create a password from a phrase.

Take a phrase you’ll remember and take the first letter of each word of that phrase and then add onto that perhaps your anniversary or some other memorable date, he suggests.  Maybe it’s your favorite song lyric or favorite Bible verse, he says. His example: From Philippians 4:13 — "I can do all things through Christ who strengthens me" — he took the first letter of each word and added the verse numbers to derive: IcdattCwsm413.

Danny Aponte, managing director of Intelligent CloudCare in Hauppauge, an...

Danny Aponte, managing director of Intelligent CloudCare in Hauppauge, an IT and cybersecurity solutions provider. Credit: Emma Severino Photography

With over 500 passwords, Aponte himself uses a password manager, which generates 25-character passwords with letters, lowercase, capital, numbers and symbols.

Go long

It makes accessing passwords easy because password managers generally plug into your web browser and can autofill your user name and password on websites automatically, he says.

Even if you’re not using a password manager, remember: the longer the password, the better, says Aponte. 

And remember every account should get its own unique password, says Lee of ITRC.

If you come up with strong ones, they have staying power.

“As long as it’s unique and you don’t receive notice it’s been compromised, it’s good forever,” Lee says.


The average respondent in a survey commissioned last year by FastPass and conducted by OnePoll said they used the same password for six different accounts, spanning both work and personal.


Latest Videos