The psychology of secure passwords

Wooden head silhouette mounted on planks with cogs inside it. A magnifying glass shows details of the cogs.

Passwords, in recent months, have been the source of much contention in cyber security, with the viability of conventional authentication methods under fire. Although a string of companies are bidding to remove passwords from the information security scene altogether, the reality is they’re still widely prevalent and likely to remain so. Most people lean on passwords to log into anything from personal email accounts to business-critical apps and services, so keeping them secure remains a paramount concern.

The threat of hackers cracking weak passwords, meanwhile, has only escalated in recent years. Not only has the spotlight been shone onto poor cyber security hygiene practices like password reuse, but a string of historic data breaches mean many credentials are in circulation around the web. Although it’s difficult to avoid a cyber security horror story in today’s age, the unfortunate truth is the majority of people are prone to reverting to easy solutions when devising passwords. Astoundingly, for example, the most common password of 2021 was ‘123456’, which was used by more than 100 million individuals.

Insecure passwords have long been an issue, with cyber security expert Troy Hunt expressing alarm in 2011 that passwords generally tend to follow a similar trend. They’re relatively short (between six and ten characters), simple (less than 1% had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary). In the 11 years since, how much has actually changed? Not an awful lot, it seems, and businesses can’t risk their employees using short, simple and common passwords to access critical business systems. That’s where a password management tool, like Synology C2 Password, comes in to help us safeguard data with stronger access protections and password generation.

Guess my password

The state of password hygiene across society is poor – thanks, in a large part, to the way our brains work and the limitations of our memory. Beyond ‘123456’, the most common passwords in the top five are ‘password’, ‘1234578’, ‘qwerty’ and ‘123456789’, according to WPengine. Examining the top 50 most-used passwords suggests number sequences are incredibly common. Whole words such as ‘dragon’, ‘football’, ‘monkey’ and ‘master’ are also leant on heavily.

It confirms what many of us may have assumed; that people often instinctively choose passwords that might be easier to recall off the top of their head, rather than methodically choosing strong and complex passwords. There’s also the issue of password reuse. With so many passwords to remember, many people tend to just use the same one, or handful, across several user accounts. As a result, hackers wouldn’t need to employ sophisticated brute-force cracking tools often warned about to break into user accounts; they can simply reach for a handful of short and simple go-to words or number sequences.

Another trick many people lean on to complexify a weak password is to tack a number onto the end of it. Of the ten million passwords WPengine analysed, 8.4% ended with a number between 0 and 99; with people perhaps thinking it was easier to remember than using a more complicated letter and number combination. Of those, more than 20% of people used ‘1’ suggesting convenience is the key priority.

When choosing whole words as passwords, many people rather predictably tend to pick words from categories such as colours, animals, or fruits, in addition to first names, superheroes or even days of the week. This, of course, makes the job that much simpler for cyber criminals hoping to break into user accounts that aren’t protected with a password management tool. Poor password hygiene, indeed, does most of the heavy lifting.

A modern remedy to age-old problems

How do we, collectively, move past the limits of our password-creating psychology? There are various methods to overcome poor password hygiene, including the National Cyber Security Centre (NCSC) recommendation to use three random words. Although the ‘three random word’ strategy is suited for use at both home and work, it might not be so simple for users to remember a few dozen different three-word combinations for the various apps, services and user accounts they’ll log in and out of on a daily basis.

Password reuse is, by far, the greatest risk with this strategy. Whild sensible on paper, most people will likely default to a handful of combinations and rotate as they see fit. Meanwhile, although two-factor authentication (2FA) might provide another barrier for cyber criminals, this isn’t entirely infallible and not all organisations offer such protective measures on every internal system.

Password managers are, by far, the most effective and simplest protective measure anyone can take when safeguarding their account credentials. The Synology C2 Password platform, in particular, is a shining example of a robust and free password management tool fitted with a litany of capabilities that collectively serve as a modern remedy to age-old problems associated with passwords.

Synology C2 Password allows users to store their passwords in a bank alongside other sensitive material like banking information, addresses and passport details, while keeping everything organised using categories, favourites and tags. The platform is also accessible across a multitude of devices, so you can add an item on your primary work machine and access it from your tablet, for example. Saved credentials, too, are also automatically filled in at login screens.

The most important feature, however, is the password generation tool. Synology C2 Password automatically generates and securely stores passwords for your essential apps and services, so you don’t have to generate and remember a complex and uncrackable password for each one you access. The use of AES-256 encryption to safeguard all data also ensures the password data cannot be remotely accessed or intercepted; items are encrypted before they leave your device to be stored on C2 servers. The decryption key, moreover, is stored on your devices and never shared with Synology C2 servers.

Poor password hygiene is a growing spectre in the security world, with the most common habits people lean on when devising passwords a huge factor. However, using a free password management tool like Synology C2 Password could be the most effective way to counter the shortcomings of human psychology, and completely wipe out the prevalence of bad habits like using number sequences or common words when setting passwords, or reusing passwords across multiple accounts.

Learn more about Synology C2 Password


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.