Protecting yourself, Research, regulation, industry reports

Lazy passwords increase your risk of fraud

Sienna Kossman

Those eight-to-10 character passwords you’ve created to protect your accounts aren’t as secure as you think, and fraudsters are cracking our log-in credentials now more than ever.

Weak passwords contributed to 31 percent of the security breaches investigated last year by cyber security vendor Trustwave, according to the 2014 Trustwave Global Security Report. Additionally, nearly half of all data thefts in 2013 involved non-payment-card data — such as personally identifiable information. That’s a 33 percent increase from the previous year.

Lazy passwords increase your risk of fraud

Why? Because fraudsters know that when it comes to passwords, we’re actually pretty lazy.

Before you get defensive, think about all the online accounts you have — social media, banking, shopping, email — and compare the passwords. If you’re like the average consumer (myself included), you probably have more than a few accounts and devising a unique, complex password for each one seems like a huge hassle.

So you find something that you don’t need to scribble on your hand to remember and before you know it, you have a handful of accounts that share very similar, if not identical, passwords.

Trustwave found that 25 percent of usernames used the same passwords for multiple sites and the most common of passwords is “123456.”

Social networking sites in particular are weak points of entry for hackers because they are used so heavily and people don’t want to struggle with logging in on a regular basis, according to Trustwave director Chris Pogue.

It might not seem like a big deal that your email and Facebook passwords are the same, but those types of accounts carry many pieces of personal information that help fraudsters breach even more of your accounts.

“There is a pretty good possibility that the password you use on social media will be very similar, if not the same, as the username and password you use in the business world, and on banking and financial sites,” Pogue said.

Even if the passwords aren’t exactly the same, it’s not hard for criminals to fill in the blanks. Passwords typically contain words and phrases that are easy-to-remember things from individuals’ everyday lives, such as a nickname, spouse’s name, favorite sports team or favorite food, all of which can likely be identified by social media networks or a simple Google search.

“If someone takes enough time to do a little online research, they can find out a lot about you and probably gather enough information to piece together your account passwords and secondary security question answers,” said Jeff Tjiputra, academic director for cyber security at University of Maryland University College. “And once you figure out one password, you visit other sites and try it out to see if it works there too. Access to password can really lead to something much bigger.”

To combat repetitive and overly-simplistic passwords, many companies have implemented two-factor authentication on their sites as an extra layer of fraud defense.

Two-factor authentication is a log-in process during which the user has to provide two pieces of identification in order to gain access, according to SearchSecurity. The first piece is usually a username and password combination and the second is a PIN or answer to a previously selected security question.

You may recall a few security questions when you established your online banking or credit card account. The questions are usually broad, inquiring about extended family members, childhood memories or historical events.

However, as bland and hard-to-guess as the questions may seem (after all, it’s not like the name of the hospital in which you were born comes up regularly in conversation), your account’s security is weakened if you pick the easiest questions with the easiest-to-remember answers.

And once hackers figure out one part, they can use it to get the others.

“A lot of people put their pet’s name on their Facebook, which is a common question answer,” Tjiputra said. “Security codes could be answered by looking around someone’s profile and then going to their bank and saying, ‘I forgot my password’ and reset the password using the new-found security code answer.”

To combat this, be careful about the question you select as your secondary layer of account security. Even though it may feel like a chore to remember, the more unusual and private you make your answer, the more secure your account will be.

If you want to break other weak password habits, security experts also recommend doing the following:

  • Add characters to your password. The longer it is, the longer it will take a hacker to break it. This could also discourage fraudsters from trying entirely, according Guardian technology reporter Samuel Gibbs.
  • Use a mixture of numbers, lowercase and uppercase letters and punctuation characters to increase your password’s complexity.
  • Don’t use real words in your passwords because hackers tend to cycle through dictionary words first when attempting a breach. The Long Island University information technology department suggests using symbol substitutes for letters in a word, such as @ for the letter a and the number three for the letter e.
  • Use more numbers. The best passwords are randomly generated strings of 16 or more digits, according to Gibbs.
  • Last but not least, never use a password twice. A password manager, which stores all your passwords in one secure place, can help. You will only need to remember one password — for the password manager — which should, of course, follow all of the above recommendations.

So the next time you are prompted to create or change an account password, keep these things in mind.

The name of your dog plus your six-digit birth date might meet all the requirements for a new bank account password, but that doesn’t mean you should use it. Press delete and try again.

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, we ask that you do not disclose confidential or personal information such as your bank account numbers, social security numbers, etc. Keep in mind that anything you post may be disclosed, published, transmitted or reused.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.