Every time we write about passwords on Lifehacker, a few readers share their secret formula for creating passwords. According to Ryan Merchant, senior manager at the password manager Dashlane, those formulas are easy to hack.
Dashlane recently analyzed 61 million passwords from years of large data breaches—passwords that are available to many security researchers, hackers, and even the public. Dashlane’s biggest takeaway is that people aren’t very original. Not even the ones using formulas.
Among the obvious common passwords like iloveyou, ferrari, and starwars, Dashlane found common formulas like “password walking,” which involves hitting adjacent keys to create what might look random, but is in fact incredibly guessable. “Walking” passwords include 1q2w3e4r, zaq12wsx, and !qaz@wsx. These are common enough that hackers might include them in “dictionary attacks” against random accounts.
Maybe, like one Lifehacker reader, you “use a formula based on the name of the website.” You’re still in danger, says Merchant: “If [a hacker] knows somebody’s ‘base password,’ it’s not that difficult to predict what the variations of that are going to be.” Especially since hackers know the password requirements for each site. So when one of your formula passwords is exposed, they can all be exposed. If you just slap “tidder” at the end of your Reddit password, a hacker knows to add “koobecaf” to your Facebook password. Hackers can also guess which symbols you might replace with other symbols. letters and numbers might turn into punctuation marks. Changing every i to !, rebus style, won’t fool them.
So please, give up your formula and use a password manager, which will create actually random passwords for you, then remember them so you never even have to learn them. You could use Dashlane; I personally like 1Password. We’ve listed our five favorite password managers here. I’ve even reviewed a newer, cuter option called RememBear.
You can’t stop accounts from getting breached; that’s up to the companies and organizations that store them. All you can do is contain the damage and make your passwords less guessable. The point of a password is to keep your data safe, not to make you feel clever.