Easy-to-guess passwords pose consumer risks

The list of 2018’s worst passwords recently was released and, believe it or not, “password” and “123456” are the top passwords for an astonishing fifth year in a row.

Why do people continue to use easy-to-guess passwords, leaving themselves vulnerable to cyberattack?

Because they think creating strong passwords is difficult. Fortunately, these days, it couldn’t be easier.

One of the most common remarks I hear about passwords is, “Oh, nobody’s going to care about my account.” What you may not realize is that hackers use automated software to scan sites in search of weak passwords. It’s easy to get caught up in these sweeps. In fact, one or more of your accounts probably has been swept up already.

There are readily accessible databases out there of known username/password combinations. Some of these are gathered from data breaches, when hackers infiltrate the sites themselves and steal the passwords. Phishing emails are another way passwords are harvested. In a phishing scam, hackers spam you with convincing-looking emails trying to get you to click on links that take you to malicious lookalikes of popular sites.

When you envision passwords being hacked, remember that this isn’t a single hacker typing in usernames and passwords manually, hoping for a match. It’s all done with automated software that can handle thousands of queries in a flash.

All hackers have to do is run easy-to-use software that tries known password combinations from one site on other popular sites, and in seconds, they’re in. You might hear this referred to as “credential stuffing,” and it’s one of the reasons using easily guessed passwords is such a bad idea.

It’s even worse if you’ve been re-using passwords on multiple sites.

The other question I often hear is, “Why would anyone want access to my account anyway?” The short answer is, money. Stolen accounts can be used to steal your funds, open bank accounts, take out loans in your name or add themselves as authorized users to your credit card. Your identity could be stolen, your health care information compromised.

Stolen accounts also can be sold to other criminals. You can see why strong passwords are so important.

Automated tools help you create and maintain strong, unique passwords. I’ve spoken before about password management tools such as 1Password, LastPass and KeePass. These tools will create long, random passwords and even enter them in for you. You should also use two-factor authentication, which sends an additional one-time code to your phone or a special authentication app.

That way, even if a hacker does get your password, they’re less likely to get in because they don’t have the one-time code. You’ll find more information on creating strong passwords on my Tech Tips blog.

Be aware that even the strongest passwords can be hacked, and even two-factor authentication can be bypassed.

Even so, these are the best tools we currently have available, and I encourage you to take advantage of them. Protecting your passwords is one of your primary lines of defense in protecting your identity, as well as your financial resources.

• Triona Guidry is a computer specialist and freelance writer. Her Tech Tips blog at www.lightningtechsupport.com offers help and advice for Windows and Mac users.