Recently, password files from several social media systems, including LinkedIn, Twitter, and MySpace, have reportedly been hacked and made available. And despite all the warnings about good password hygiene, bad passwords still abound.

When it comes to senseless passwords, it appears that no one is immune. Even tech CEOs like Facebook’s Mark Zuckerberg and Oculus’ Brendan Iribe have been outed for bad password practices—Zuckerberg for using “dadada” and Iribe for using a four-year-old MySpace password, reports the BBC. (To add insult to injury, not only is “dadada” bad, but it is apparently an old password that Zuckerberg was still using.)

Looking at the most used passwords from some highly trafficked social media sites seems to indicate that a lack of creative thinking helps people generate weak passwords that even a novice hacker could figure out. So, what exactly is the type of password that can be easily hacked?

A 2012 LinkedIn password file, with 167 million accounts, listed its most popular passwords:

123456 (753,305 instances among the breach)

Linkedin (172,523)

Password (144,458)

123456789 (94,314)

12345678 (63,769)

111111 (57,210)

1234567 (49,652)

Sunshine (39,118)

Qwerty (37,538)

654321 (33,854)

A 32 million entry password file from Twitter was also released, with similar results:

123456 (120,417 instances)

123456789 (32,775)

Qwerty (22,770)

Password (17,471)

1234567 (14,401)

1234567890 (13,799)

12345678 (13,380)

123321 (13,161)

111111 (12,138)

12345 (11,239)

(Even MySpace also lost a password file in 2013, reportedly with 360 million entries. No word on what their most popular passwords were.)

In some cases, the issue is related to a hacking group called OurMine, which allegedly obtained stolen password files for social media services, looked for celebrities, then tried those same passwords on other social media services. But in reality, all of us—famous or not—are vulnerable to security breaches of our online accounts and it’s up to us to be diligent about protecting our online data.

Yet even when we try harder to come up with better passwords, we aren’t very good at it, writes Nikhil Sonnad in Quartz. “To make a ‘strong’ password that they won’t forget, people fall back on common behaviors,” he writes. “Take a normal and uncommon word, like ‘lighthouse.’ Capitalize the first letter. Replace letters with similar-looking numbers. Put a symbol at the end. That might give you Lighth0us3!. This will pass all of those ‘password strength’ tests that you see when signing up for a new service. Problem is, a short word with such predictable alterations is trivial to crack. “

Microsoft is taking it a step further and is starting to ban stupid passwords. The company has created a dynamically updated banned list of the passwords it sees people using to try to break in. If you’re changing your password, and you try to use one of these words, Microsoft software will instruct you to pick a password that’s harder to guess.

While we’d all like to think that somehow, someday, everyone would have impregnable security that would prevent passwords from getting stolen, ever, that’s probably unrealistic. Instead, the best you can do is protect yourself from such a situation when—not if—it arises.

How can you do that? Aside from not using simple passwords, here are some other standard tips for good password hygiene:

Some researchers are going so far as to suggest that people use poems to help remember passwords. They’ve even developed a poem-password generator to help. While it might seem that actual words are easier to crack (and even the poems won’t help for sites that require special characters in the passwords), apparently it’s the combination of the words that makes the passwords more secure, the researchers write.

Beyond that, though, vendors and organizations are beginning to look at security systems beyond passwords, such as biometric systems like fingerprints and retinal scans, and perhaps even selfies. A recent study by Lawless Research, Beyond the Password: The Future of Account Security, found that 36 percent of companies foresee that they will do away with passwords in 1 to 4 years, and another 36 percent predict they will no longer use them in 5 to 9 years. In addition, 76 percent of companies said they had implemented or plan to implement behavioral biometrics, such as recognizing you by how you type: 22 percent are already using the technology and 54 percent plan to implement behavioral biometrics in 2016 or later

“In possibly just a few years, passwords will be just one part of a larger continuum of security measures that include chip-and-PIN tools on your credit card, iris scans, facial recognition, and much more,” writes Dan Seitz in Uproxx.

But until that era arrives, it’s up to us to keep dreaming up indestructible passwords.



