Humans are terrible at passwords.
Software company Splashdata (which makes a password-manager tool) has been compiling a list of the worst passwords since 2011, and the two most frequent crypts are still "123456" and "password."
The problem is, users with dead-simple passwords on Facebook are likely to do the same thing at work. Security-software developer Ping released a survey in 2015 that found half of workers reuse the same passwords across multiple enterprise tools, and two-thirds use those same passwords on personal services, such as social networks. An executive that uses an awful password on a platform such as LinkedIn could give even an amateur hacker the keys to his company's network. And the wealth of personal data we post online also makes it easier to use social engineering techniques to bypass password-reset security questions.
One reason why we are so bad at cryptography may be security fatigue. Researchers at Trend Micro have said that data get stolen every three seconds, and Splashdata compiles its database from the leaked credentials that appear online after some of the truly epic hacks that seem happen on a monthly basis. This year's list was culled from two million leaked records, and the irony is that hackers don't need these weak passwords to get those records: Software itself is often leaky enough to break open and steal data.
All of which is why there is a growing movement to get rid of the things altogether. A survey of 308 digital-security experts, conducted by Wakefield Research late last year for SecureAuth (makers of two-factor authentication software), found 91 per cent of the respondents were sure the text password would be dead in 10 years.
"There's a lot of work being done to integrate biometric, but they are still a ways away from mainstream adoption," warns Mark Nunnikhoven, a vice-president at Trend Micro. Canada's Nymi has been flogging its heartbeat-reading biometric, while an increasing number of smartphones offer fingerprint access. "Companies should look to adopt multifactor authentication in the short term. It will help compensate for human nature when it comes to password hygiene." MFA or two-factor authentication is where a text or other message is sent to a secondary device in order to confirm an attempt to login.
In the meantime, please remember that "1qaz2wsx" may be a nonsense word, but anything that's a simple pattern (such as the first two rows of a keyboard) is not a good password.