Why we know your password and what you can do about it

Trying to make passwords more secure can often end up having the opposite effect, for two main reasons:

  1. When people are faced with complex rules — at least one uppercase letter, number, symbol etc. (we’ve all been there) they will do the simplest thing possible. Most users will capitalise the first letter in their password, or all of them, and add a “1” to the end. Sound familiar?
  2. Complex passwords made up of random generated characters are much easier for a computer to guess than for a human to remember.

The proof

For evidence of how people choose passwords, you need look no further than the 10,000 most common passwords discovered in security breaches, as published on Github or this page on Wikipedia. As I write, the second most common password is “password”,“Password” is number 176, “password1” is at 207, “PASSWORD” is at 710, and “Password1” checks in at 2968.

In Top of the Pops fashion (for those of you who are old enough), here’s the current top 20:

As for the relative ease with which a computer can guess a random string as opposed to a well-crafted passphrase (see more on using these below), XKCD tells that story better than we could.

We don’t do what we’re told, and that can cause big problems

No matter how many times people are told never to use the same password across many sites and services, most still do just that. It’s human nature to take the quickest and easiest option, and the one that means we won’t forget our passwords and get locked out.

When dxw cyber carries out attack simulations, we search published data breaches for details of known users to help us identify the passwords they use to log into other places. When we find their passwords, we try them out against their accounts in the system we’re targeting.

During a recent attack simulation, this simple password lookup — that requires no technical skills at all — gave us access to the entire system at the highest possible level.

So what’s the good news (or help, what should I do now)?

Once you understand how people interact with a system, and the reasons why the rules don’t result in the right kind of behaviour, you can take a different approach.

Some tips for individuals

As an individual you should:

  • swap passwords for passphrases: combinations of meaningful words in a string. They are easier to remember than complex character strings and, if they are long enough, harder to crack. You can generate these with online tools like this one, inspired by XKCD. We definitely recommend this approach to ensure the phrases are truly random
  • use a password manager: these are applications that act like a secure vault, where you can store all your logins and passwords. Most will also generate passphrases for you when creating a new login or updating an old one. Speaking of which, you should also…
  • update all your logins with randomly generated passphrases: this might take you a bit of time, but it’s worth it. Start with the most sensitive things like email, financial and medical accounts, and update the others when you use them

Some tips for businesses

As a business, you should:

  • update your password policy and systems so people can use passphrases. Many policies require symbols and numbers, which do little to guarantee security (as we explained above)
  • select a suitable password manager for your staff, and train them in how to use it
  • once the policies and tools are in place, make sure all users update their passwords. If you have lots of users, we recommend you do this gradually
  • read the National Cyber Security Centre’s guidance on updating your approach to your password policy


Finally, as an individual or a business, you should always enable two-factor authentication (2FA) when it’s available.

2FA means you need to provide two ways of proving your identity. It’s used all the time by organisations like banks, for example, to take money from a cash machine, you need the card and your PIN. To log into your online banking application, you need your account details and a one-use time-limited code, generated by a custom gadget or sent by text.

Once you’ve done all that, we probably won’t know your password (but you still need to watch out for phishing).

A passwordless future

Humans are not good at passwords, but computers are. So maybe the long-term solution is to get rid of passwords and replace them with stronger ways of proving your identity, such as passwordless “magic” links or QR codes. We also expect to see an increasing use of standards like WebAuthn, which can be used to help prove your identity at the touch of a button, while also protecting you from phishing attacks.

We’ll blog more about this soon.

P.S. If you want to hear directly from Glyn Wintle, our CTO, about all things password related, here’s his talk at Ignite London 7.

Share this


techUK has taken a look at the recently published Centre for Data Ethics and Innovation @CDEIUK interim report on o… https://t.co/ZhhkfRV1VN
We are pleased to welcome all our new Board members. Tara McGeehan @CGI_UKNEWS comments on her appointment. You can… https://t.co/EJqRJVj3Hr
In this @Forbes⁩ article, @ctowersclark speaks to our President @JdR_Tech about how an automated future can include… https://t.co/BSbOjPq1EU
techUK has explored the recently published Centre for Data Ethics and Innovation @CDEIUK interim report on algorith… https://t.co/sFWejzNwZE
Julian David (@techUKCEO), techUK's CEO, comments on the appointment of Boris Johnson as the new Prime Minister. Re… https://t.co/GRjAEgx90e
techUK has published the response to its letter to the Conservative Leadership candidates outlining its priorities… https://t.co/eBo95r33lP
📩Keen to hear from @techUK on all things Skills & Diversity? Then subscribe to our newsletter Thrive! Thrive explo… https://t.co/43evcROapL
Become a Member

Become a techUK Member

By becoming a techUK member we will help you grow through:

Click here to learn more...