As Christmas edges closer, decorations are out in full force and the holiday spirit is growing. But, how caught up do people really get? Specopssoft.com analyzed 800 million passwords from Specops Software’s Breached Password Protection database in order to reveal the most leaked Christmas-related passwords that are currently being unsafely used by millions of people.
Most commonly leaked Christmas-related passwords
After looking at millions of passwords that have been leaked, Specopssoft.com discovered that star is the least secure Christmas-related password. Although the number of times this password has been compromised cannot be released, star was found to be leaked 52 times more than jolly – the 15th most used Christmas-themed password.
The second most leaked Christmas-related password is angel, as lots of people use it to protect their accounts and data. Interestingly, angel was found to occur in 47 times more passwords than jolly. God is the third most used password, according to Specopssoft.com’s leaked password database. This word has been used 46 times more than the fifteenth-most used password, jolly.
In fourth, fifth, and sixth place are elf, Jesus and snow. Elf appears almost two times more than Jesus and Jesus is used seven times more than bell, which ranks in 12th. The word carol has been used very often by those looking to protect their data, placing it in seventh overall. In the leaked password database, Carol has been leaked eight times more than xmas – which places in 14th position.
Darren James, Product Specialist with Specops Software, commented on the findings: “With the winter holidays right around the corner, we asked our research team to dig into which holidays are most popular, we analysed over 800 million breached passwords to find out.”
Specops Software’s top tips for creating a strong password
The compromised password problem can be an expensive one. IBM recently reported the global average cost of a data breach in 2020 to be $3.86 million.
Three random words, also known as #thinkrandom, is an initiative from the NCSC to educate the general public on how to choose secure passwords that are still easy to remember. The initiative was introduced to undo years of security advice that told people to combine different character types when creating passwords. Research has since found that character complexity requirements failed to achieve what it set out to do – make passwords harder to crack. Its failure can be blamed on people following the same character composition patterns (i.e. capital letter to start, number at the end, replacing the letter s with $, etc).
2. Easy to guess passwords
The three random words initiative is designed to address billions of weak passwords that are easy to guess. This means that even without sophisticated password cracking techniques, hackers can come up with likely passwords to try on different accounts, either in a credential stuffing attack or in a targeted attack against an individual. Easy-to-guess passwords with multiple character types include: Liverpool#1, Pa$$word7, Spring2020!. Examples of three random words passwords provided by the NCSC include: coffeetrainfish, walltinshirt.
3. Falls short to brute force
Critics of the #thinkrandom advice often bring up the time needed to break a password hash in a brute-force attack. When comparing two 14-character long passwords, one with three random words and one randomly generated using multiple character types, the multiple-character type password will take longer to crack in a brute force attack. This article explains the math to back up the criticism and recommends a Password Manager as a solution to needing to remember so many randomly-generated passwords.
Proponents of the advice believe in providing tips that the general public can follow, in order to improve the security of passwords. While critics of the advice can point out the most sophisticated randomly-generated passwords and show how these are more secure, both are right, but they represent extremes of the password security spectrum. Is there a middle ground that uses easy-to-follow advice and combines this with another layer of protection?
4. Make three random words more secure
One way to improve the security of the three random words advice is to combine it with a password deny list of known compromised passwords. A compromised password deny list is designed to prevent a password dictionary attack, where a hacker uses a password list from a previous data breach to gain access to an account. The breached password deny list improves the security of the three random words passwords by blocking passwords that have appeared on previous data breaches. This way people can choose passwords that they can remember, and are also not published online for hackers to use.
Will this make it harder for people to choose three random words passwords? No, if people follow the advice and choose words at random, it will not be difficult to find passwords that do not appear on the compromised passwords list.
5. Make your password long enough
When it comes to making strong passwords, the single most important factor is the length of the password. As long as a password isn’t easily guessable by other means (e.g. use of common words, username, repeating characters) length is your best friend for mitigating brute force attacks.