Every time we write about passwords on Lifehacker, a few readers share their secret formula for creating passwords. According to Ryan Merchant, senior manager at the password manager Dashlane, those formulas are easy to hack.
Dashlane recently analyzed 61 million passwords from years of large data breachesâpasswords that are available to many security researchers, hackers, and even the public. Dashlaneâs biggest takeaway is that people arenât very original. Not even the ones using formulas.
Among the obvious common passwords like iloveyou, ferrari, and starwars, Dashlane found common formulas like âpassword walking,â which involves hitting adjacent keys to create what might look random, but is in fact incredibly guessable. âWalkingâ passwords include 1q2w3e4r, zaq12wsx, and !qaz@wsx. These are common enough that hackers might include them in âdictionary attacksâ against random accounts.
Maybe, like one Lifehacker reader, you âuse a formula based on the name of the website.â Youâre still in danger, says Merchant: âIf [a hacker] knows somebodyâs âbase password,â itâs not that difficult to predict what the variations of that are going to be.â Especially since hackers know the password requirements for each site. So when one of your formula passwords is exposed, they can all be exposed. If you just slap âtidderâ at the end of your Reddit password, a hacker knows to add âkoobecafâ to your Facebook password. Hackers can also guess which symbols you might replace with other symbols. letters and numbers might turn into punctuation marks. Changing every i to !, rebus style, wonât fool them.
So please, give up your formula and use a password manager, which will create actually random passwords for you, then remember them so you never even have to learn them. You could use Dashlane; I personally like 1Password. Weâve listed our five favorite password managers here. Iâve even reviewed a newer, cuter option called RememBear.
You canât stop accounts from getting breached; thatâs up to the companies and organizations that store them. All you can do is contain the damage and make your passwords less guessable. The point of a password is to keep your data safe, not to make you feel clever.