How to create and remember a strong password

Most attackers don't bother with sophisticated methods of stealing passwords. They take combinations that are easy to guess. About 1% of all currently existing passwords can be guessed in four attempts.

The Lifehacker Telegram channel contains only the best texts about technology, relationships, sports, cinema and much more. Subscribe!

Our Pinterest contains only the best texts about relationships, sports, cinema, health and much more. Subscribe!

How is this possible? Very simple. You try the four most common combinations in the world: password, 123456, 12345678, qwerty. After such a passage, on average, 1% of all “caskets” are opened.

Let's say you are one of those 99% of users whose password is not so simple. Even then, the performance of modern hacking software must be taken into account.

John the Ripper is a free and publicly available program that can check millions of passwords per second. Some samples of specialized commercial software claim a capacity of 2.8 billion passwords per second.

Initially, hacking programs run through a list of the statistically most common combinations, and then turn to the full dictionary. User password trends may change slightly over time, and these changes are taken into account when updating these lists.

Over time, all sorts of web services and applications decided to forcefully complicate passwords created by users. Requirements have been added, according to which the password must have a certain minimum length, contain numbers, uppercase and special characters. Some services take this so seriously that coming up with a password that the system would accept takes a really long and tedious time.

The key problem is that almost any user does not generate a password that is truly resistant to guessing, but only tries to meet the minimum requirements of the system for the composition of the password.

The result is passwords in the style password1, password123, Password, PaSsWoRd, password! and incredibly unpredictable [email protected]

Imagine you need to change spiderman's password. Most likely he will look like $pider_Man1. Original? Thousands of people will change it using the same or very similar algorithm.

If the attacker knows these minimum requirements, then the situation only gets worse. It is for this reason that the imposed requirement to make passwords more complex does not always provide better security, and often creates a false sense of increased security.

The easier the password is to remember, the more likely it is to end up in the dictionaries of cracking programs. As a result, it turns out that a truly secure password is simply impossible to remember, which means it needs to be recorded somewhere.

According to experts, even in this digital age, people can still rely on a piece of paper with passwords written on it. It is convenient to keep such a sheet in a place hidden from prying eyes, for example in a purse or wallet.

However, a sheet of passwords does not solve the problem. Long passwords are not only difficult to remember, but also difficult to enter. The situation is aggravated by virtual keyboards on mobile devices.

Interacting with dozens of services and sites, many users leave behind a string of identical passwords. They try to use the same password for every site, completely ignoring the risks.

In this case, some sites act as a nanny, forcing you to complicate the combination. As a result, the user simply cannot remember how he had to modify his standard single password for this site.

The scale of the problem became fully realized in 2009. Then, due to a security hole, a hacker managed to steal the database of logins and passwords for RockYou.com, a company that publishes games on Facebook. The attacker placed the database in the public domain. In total, it contained 32.5 million records with usernames and passwords for accounts. Leaks have happened before, but the scale of this particular event showed the whole picture.

The most popular password on RockYou.com was 123456, used by almost 291,000 people. Men under 30 more often preferred sexual themes and vulgarity. Older people of both sexes often turned to one or another cultural area when choosing a password. For example, Epsilon793 doesn't seem like such a bad option, except this combination was in Star Trek. The seven-digit 8675309 has been seen many times because it was featured in one of Tommy Tutone's songs.

In fact, creating a strong password is a simple task; all you need to do is create a combination of random characters.

You won't be able to create a perfectly random mathematical combination in your head, but you don't have to. There are special services that generate truly random combinations. For example, random.org can create passwords like this:

mvAWzbvf;
83cpzBgA;
tn6kDB4T;
2T9UPPd4;
BLJbsf6r.

This is a simple and elegant solution, especially for those who use a password manager.

Unfortunately, most users continue to use simple, weak passwords, even ignoring the “different passwords for each site” rule. For them, convenience is more important than safety.

Situations in which the security of a password may be at risk can be divided into 3 broad categories:

Random , in which a person you know tries to find out the password, based on information about you known to him. Often, such a burglar just wants to play a joke, find out something about you, or play dirty tricks on you.
Mass attacks , when absolutely any user of certain services can become a victim. In this case, specialized software is used. The least secure sites are selected for the attack, allowing multiple password variations to be entered in a short period of time.
Targeted , combining the receipt of guiding hints (as in the first case) and the use of specialized software (as in a mass attack). Here we are talking about trying to get truly valuable information. The only way to protect yourself is with a long enough random password, which will take time comparable to the length of your life to select.

As you can see, absolutely anyone can become a victim. Statements like “they won’t steal my password because no one needs me” are not relevant, because you can get into a similar situation completely by accident, by coincidence, without any apparent reason.

Those who have valuable information, are involved in business, or are in conflict with someone on financial grounds (for example, division of property during a divorce, competition in business) should take password protection even more seriously.

In 2009, Twitter (in the understanding of the entire service) was hacked only because the administrator used the word happiness as a password. A hacker picked it up and posted it on the Digital Gangster website, which led to the hijacking of Obama, Britney Spears, Facebook and Fox News accounts.

Acronyms

As in any other aspect of life, we always have to make a compromise between maximum security and maximum convenience. How to find the golden mean? What password generation strategy will allow you to create strong combinations that you can easily remember?

At the moment, the best combination of reliability and convenience is to convert a phrase or phrase into a password.

A set of words is selected that you always remember, and the password is a combination of the first letters of each word. For example, May the force be with you turns into Mtfbwy.

However, since the most famous ones will be used as initial phrases, programs will eventually add these acronyms to their lists. In fact, an acronym contains only letters, and therefore is objectively less reliable than a random combination of symbols.

The correct choice of phrase will help you get rid of the first problem. Why turn a world-famous expression into an acronym password? You probably remember some jokes and sayings that are relevant only among your close circle. Let's say you heard a very memorable phrase from a bartender at a local establishment. Use it.

And it’s still unlikely that the acronym password you generate will be unique. The problem with acronyms is that different phrases can consist of words that start with the same letters and are arranged in the same sequence. Statistically, in various languages, there is an increased frequency of certain letters appearing as word starters. Programs will take these factors into account, and the effectiveness of acronyms in the original version will decrease.

Selecting passwords of 12 characters or more

Author: NETMUX

What do I mean when I talk about cracking a password that is 12 or more characters long? I argue that with modern hardware, such as this "budget" setup, we can almost certainly decrypt a fast hash such as MD5, NTLM, SHA1, etc. in a reasonable amount of time. In practice, random selection of sequences of 8 or more characters in length is futile in the case of common hashing algorithms. When we touch on the peculiarities of the national language and human psychology (for example, the average English word is 4.79 characters long, and people prefer to use several words when creating passwords of 10 or more characters), then more interesting opportunities open up in terms of selecting such passwords. More details about various selection tools are described in the book Hash Crack.

Why are passwords 12 or more characters long vulnerable?

People who create passwords of 10 or more characters manually tend to use standard words and phrases. Why? Because remembering the password “horsebattery123” is much easier than “GFj27ef8%k$39”. Here we encounter an instinct to follow the path of least resistance, which, in the case of password creation, will persist until password managers become more widely used. I agree that a series of drawings dedicated to password strength has a right to life, but only in the case of slow hashing algorithms like bcrypt. This article will show examples of Combo attacks (when dictionary elements are combined) and Hybrid attacks (when brute force is added to a Combo attack) using the Hashcat utility, which will hopefully expand your arsenal. The examples below will demonstrate how an attacker can effectively brute force the keyspace and crack passwords that at first glance appear to be strong.

Combo and Hybrid attacks

Combination attack ( Combo) : all elements from two dictionaries are combined.

Example Input data: dictionary1.txt dictionary2.txt Password combinations: pass => password, passpass, passlion word => wordpass, wordword, wordlion lion => lionpass, lionword, lionlion

Hybrid attack ( Hybrid) : is a dictionary attack mixed with combinations generated according to a specific pattern.

Example Input data: dictionary.txt ?u?l?l Password combinations: pass => passAbc, passBcd, passCde word => wordAbc, wordBcd, wordCde lion => lionAbc, lionBcd, lionCde

Note 1: The password generation sequence is not entirely accurate and is given to describe the general idea.

Note 2: More detailed explanations are provided on the Hashcat website.

Combination attack

Let's consider a combination attack using a dictionary consisting of 10 thousand most common words in descending order of popularity. The analysis was carried out using N-grams and frequency analysis based on the trillionth collection collected by the Google search engine.

Consider an example of two randomly selected words combined into a 16-character password, for example shippingnovember, and perform a combination attack on this password if the MD5 algorithm were used:

Example hashcat -a 1 -m 0 hash.txt google-10000.txt google-10000.txt

When trying all the combinations of words connected to each other using modern hardware, the password is cracked in less than one second. When working with other, slower algorithms, the password is also selected in a reasonable time.

Figure 1: Time to guess the shippingnovember password using a combination attack

Critics may argue that if you capitalize each word at the beginning or add a number or special character, then the new password (for example, ShippingNovember) will be more stable. Let's test this theory in practice and combine the google-10000 dictionary into a single large array of passwords using the combinator.bin utility, which will allow us to combine the resulting words in combination with the rules.

Example combinator.bin google-10000.txt google-10000.txt > google-10000-combined.txt

Now that we have a dictionary of combinations, we add rules to guess the modified password (ShippingNovember).

Example hashcat -a 0 -m 0 hash.txt google-10000-combined.txt -r best64.rule

Figure 2: ShippingNovember password guessing time using a dictionary of combinations and rules

The new password was decrypted in 28 seconds. In a similar way, rules are added to take into account special characters, different locations of combinations, and so on. I think you get the point.

3 word passwords

Using the created dictionary of combinations, we will try to find a password of three words, for example “securityobjectivesbulletin”, using a combination attack.

Example

hashcat -a 1 -m 0 hash.txt google-10000-combined.txt google-10000.txt

Figure 3: Password guessing time securityobjectivesbulletin

A similar password with the addition of other characters will be cracked a little slower. Are you catching a trend?

4 word passwords

Now let's look at cracking four-word passwords (example: "sourceinterfacesgatheredartists"). In this case, the key space increases to 10,000,000,000,000,000 candidates, but in the end the selection takes a reasonable time. Mainly because the MD5 algorithm is used. We create a new dictionary of combinations and carry out a combination attack using Hashcat.

Example hashcat -a 1 -m 0 hash.txt google-10000-combined.txt google-10000-combined.txt

Figure 4: Password guessing time sourceinterfacesgatheredartists

The search process using modern hardware could take 4 days, but the correct candidate was found within 5 hours 35 minutes. Adding numbers or special characters would make the password beyond our reach, but using only four random words makes the password vulnerable.

Hybrid attack

Hybrid attacks require more resourcefulness, but when the right pattern is found, the find becomes akin to a gold bar. A particularly unforgettable experience comes from scrolling through decrypted passwords in the terminal.

Google dictionary attack-10000 + mask

In the first example, we will use the same dictionary of the 10 thousand most common words as the basis for generating candidates for the search. Then we will use the PACK (Password Analysis and Cracking Kit) and the hashesorg251015.txt dictionary from weakpass.com. I chose this particular dictionary because of its high success rate and relatively small size. We will study the hashesorg dictionary and, based on the results of the analysis, we will create masks based on the most popular passwords, limited to a certain set of characters. These masks will be used at the beginning and end of base words from the google-10000.txt dictionary.

Example

First, we will generate statistics on masks based on passwords 5-6 characters long and write the results to a separate file (note that the generation process may take some time).

python statsgen.py hashesorg251015.txt —minlength=5 —maxlength=6 —hiderare -o hashesorg_5or6.masks

Then we convert the masks into Hashcat format (.hcmasks file) for subsequent use in hybrid attacks.

python maskgen.py hashesorg_5or6.masks --optindex -o hashesorg_5or6.hcmask

Further, in mode 6, a dictionary and a set of masks are specified as parameters. The search algorithm will look like this: take the first mask and combine it with each word from the dictionary, then the second mask, the third, and so on until the entire list of masks ends. Some attacks can end very quickly, others take a little longer. During testing we will select the password “environmentsqaz472”

Example hashcat -a 6 -m 0 hash.txt google-1000.txt hashesorg_5or6.hcmask

Figure 5: Password brute-force time environmentsqaz472

The selection took about 20 minutes. First we got to the mask ?l?l?l?d?d?d, and then within 14 we cracked the password.

Dictionary-based attack Rockyou + Rockyou -1-60. hcmask

Now let's use the set of masks that comes with the Hashcat utility and is generated based on passwords from the Rockyou set. This set of masks is divided into separate portions, which increase in size as the range of numbers increases. The size, as I assume, increases due to the percentage of passwords on the basis of which a specific portion of masks is generated. We will use a file named rockyou-1-60.hcmask, since it contains the most popular masks that have proven themselves in hybrid attacks. We will combine this set of masks with passwords from the Rockyou dictionary. For other dictionaries, be careful not to use files that are too large. Otherwise the attack will take TOO long. I usually use dictionaries that are less than 500 MB in size (or even smaller) and add masks at the beginning and end of words. Take a random password “sophia**!” from the Rockyou dictionary and add a random date “1996” to the beginning. As a result, we get the password 1996sophia**!. During tests, each mask will be combined with an element of the Rockyou dictionary.

Example hashcat -a 7 -m 0 hash.txt rockyou-1-60.hcmask rockyou.txt

Figure 5: Password guessing time 1996sophia**!

During the search, after a few minutes it came to the mask ?d?d?d?d. This example is shown to demonstrate the process and effectiveness of hybrid attacks. The rockyou-1-60.hcmask file contains 836 masks generated based on the most common passwords from the rockyou.txt dictionary. If this set is not enough for you, Hashcat comes with all the masks generated based on the remaining passwords.

First 5 characters + mask

Now let's create a new dictionary and a set of masks. We already know that the average English word takes 4.79 characters, so we will create a dictionary containing elements of no more than 5 characters. This dictionary will be generated based on the rockyou.txt file, where the first 5 characters will be cut off for each element. Next, duplicates are removed, and the resulting list is sorted and placed in the file first5_dict.txt. The resulting dictionary takes up 18 MB, which is too small to attack the fast MD5 algorithm, but quite acceptable for a slower hash.

Example cut -c 1-5 rockyou.txt | sort -u > first5_dict.txt

We will then combine elements from the first5_dict.txt dictionary and the masks from the rockyou-1-60 file that comes with Hashcat. Some candidates will be less than 12 characters, but you can exclude masks that are less than 7 characters long and create a new file with a .hcmask extension. Again, take the random Alty5 password from the first5_dict.txt file and add a random sequence of numbers 9402847. As a result, we get the password Alty59402847.

Example hashcat -a 6 -m 0 hash.txt first5_dict.txt rockyou-1-60.hcmask

Figure 6: Password guessing time Alty59402847

This attack is especially effective against users who like passwords where a common word is combined with numbers for randomization purposes. A similar password is selected within 30 minutes.

Direct mask attack on a password of 12 or more characters

I understand that this type of attack is not a hybrid one, but, nevertheless, using 12 character masks or more still gives results, especially if you use the PACK utility. An attack on a password encoded with a specific hashing algorithm can be planned to last 1 day (86400 seconds), taking into account the speed of the hardware. First, you need to measure the search speed, based on the capabilities of your hardware, using the hashcat -b -m #type command directly in the terminal. Let's quickly look at creating masks to attack passwords 12-15 characters long using the PACK utility. To generate masks, we will again use the rockyou.txt dictionary, but first we will evaluate the speed of searching through md5 hashes.

Example (md5) hashcat - b - m 0 Figure 7: Estimated speed of searching md5 hashes

Based on the testing results, it turned out that the search speed is 76,000,000,000 keys per second. Next, we create a set of masks based on the rockyou.txt dictionary using the PACK utility.

Example python statsgen.py rockyou.txt -o rockyou.masks

Now we create a hcmask file, with the help of which some passwords 12-15 characters long will be searched within 1 day (86400 seconds).

Example

Figure 8: Procedure for selecting passwords using a mask

We can then launch a series of mask attacks using the rockyou_12-15.hcmask file to brute force the md5 hashes. Intermediate searches will be completed after 1 day.

Example hashcat -a 3 -m 0 hash.txt rockyou_12-15.hcmask

Conclusion

As you can see, passwords that are 12 characters long are not that invulnerable. It just takes a little cunning and creativity to come up with the right brute force strategy. Also, don't assume that if the password is more than 11 characters that your favorite online service will hash everything correctly. Thanks to Yahoo. I hope the examples above have convinced you that passwords need to be a little more complex than just a combination of random lowercase words. For more evidence, see my friend Troy Hunt's article. If you're smart enough, you'll start using a password manager app like 1Password or Keepass to generate and store passwords. In addition, I would like to mention the Dumpmon microblog, where you can search for hashes for research purposes.

Finally, I would like to quote the following quote: “A successful cyber general performs a lot of calculations in the terminal before starting to penetrate the system” ( Cyber Sun Tzu ).

Reverse method

The solution may be the reverse generation method. You create a completely random password in random.org, and then turn its characters into a meaningful, memorable phrase.

Often services and sites give users temporary passwords, which are those perfectly random combinations. You'll want to change them because you won't be able to remember them, but if you look a little closer, it becomes obvious that you don't need to remember the password. For example, let's take another option from random.org - RPM8t4ka.

Although it seems meaningless, our brain is capable of finding certain patterns and correspondences even in such chaos. To begin with, you can notice that the first three letters in it are uppercase, and the next three are lowercase. 8 is twice (in English twice - t) 4. Look a little at this password, and you will definitely find your own associations with the proposed set of letters and numbers.

If you can memorize meaningless strings of words, then use it. Let the password turn into revolutions per minute 8 track 4 katty. Any conversion that your brain is better suited for will do.

A random password is the gold standard in information security. It is by definition better than any human-created password.

The disadvantage of acronyms is that over time, the spread of such a technique will reduce its effectiveness, and the reverse method will remain just as reliable, even if all people on earth use it for a thousand years.

A random password will not be included in the list of popular combinations, and an attacker using a mass attack method will only find such a password using brute force.

Let's take a simple random password that takes into account upper case and numbers - that's 62 possible characters for each position. If we make the password just 8 digits, we get 62^8 = 218 trillion options.

Even if the number of attempts within a certain time period is unlimited, the most commercial specialized software with a capacity of 2.8 billion passwords per second will spend an average of 22 hours trying to find the right combination. To be sure, we add only 1 additional character to such a password - and it will take many years to crack it.

A random password is not invulnerable, as it can be stolen. There are many options, ranging from reading input from a keyboard to a camera over your shoulder.

A hacker can attack the service itself and obtain data directly from its servers. In this situation, nothing depends on the user.

General traditional advice

Before moving on to the original methods of creating and remembering a password, we’ll talk about well-known tips:

The password must be at least 12 characters long. It's no secret that the larger the password, the more difficult it is to crack. A password of at least 12 characters will reliably protect your accounts from any attacks by hackers.
Use numbers, symbols, capital letters. Brute force utilities will find a password like “catsanddogs” relatively quickly, but they won’t be able to cope with a password like “ [email protected] $123.”
Don't use words. Try to avoid using common dictionary words in your password. An incoherent set of letters is much more powerful than any specific word, even a long one.

We're done with the platitudes, let's move on to simple, effective and little-known methods.

Single reliable basis

So, we got to the main point. What random password tactics should you use in real life? From the point of view of balancing security and convenience, the “one strong password philosophy” will work well.

The principle is that you use the same basis - a super-secure password (its variations) on the services and sites that are most important to you.

Anyone can remember one long and complex combination.

Nick Berry, an information security consultant, allows this principle to be used, provided that the password is very well protected.

The presence of malware on the computer from which you enter the password is not allowed. It is not allowed to use the same password for less important and entertaining sites - simpler passwords will suffice for them, since hacking an account here will not entail any fatal consequences.

It is clear that a reliable foundation needs to be modified somehow for each site. As a simple option, you can add one letter at the beginning to end the name of the site or service. If we go back to that random password RPM8t4ka, then for Facebook login it will turn into kRPM8t4ka.

An attacker who sees such a password will not be able to understand how the password to your bank account is generated. Problems will start if someone gets access to two or more of your passwords generated this way.

Where to store passwords

An important question: how to store passwords. Passwords should not be easy targets, so you should be concerned about their safety.

If the user creates passwords themselves, then it is better to store them at home, and not on devices in the form of an unencrypted text file. In the event of a leak, all existing passwords will become compromised.

Write down the password on a separate piece of paper or in a notepad; store it not near the computer, but a little further away, for example, in a nightstand or in some folder. The chances that a thief will break into the house are low, because now the main danger lies in wait for the user on the Internet.

If a user uses a password manager, he should pay attention to the safety of the “Password Database” - one of the program elements. The password database is encrypted; an attacker will not be able to access it without entering the master password.

Some programs store password databases locally on the PC, for example, KeePass; other applications, for example, LastPass, save this data on a server on the Internet. Based on this, you need to take care of the safety of your password database.

More details:

KeePass - secure password storage
A secure password manager: what it looks like and what features it should have

Online solutions are more user-friendly in terms of comfort, and offline programs are more reliable in terms of security. Online password managers are synchronized between devices, and in offline applications, passwords are relevant after authorization on a specific device. Local safes are well suited for important passwords, such as those for online banking or payment services.

Serious problems may unexpectedly arise on your computer, causing you to urgently reinstall the operating system. In this case, you can lose all user data, including the password manager database.

In this case, it is necessary to create copies of the password database in advance, stored in different places: on a computer, in the cloud, on a USB flash drive, etc., or additionally use the function of backing up important data on a computer disk.

In this case, the password database will not be lost due to force majeure. Do not forget to copy the original database after making changes to it: adding new passwords.

Secret Question

Some hijackers ignore passwords altogether. They act on behalf of the account owner and simulate a situation where you forgot your password and want to recover it using a security question. In this scenario, he can change the password at his own request, and the true owner will lose access to his account.

In 2008, someone gained access to the email of Sarah Palin, the governor of Alaska, and at that time also a candidate for US president. The burglar answered the secret question, which sounded like this: “Where did you meet your husband?”

After 4 years, Mitt Romney, who was also a candidate for US President at that time, lost several of his accounts on various services. Someone answered the security question about the name of Mitt Romney's pet.

You've already guessed the point.

You cannot use public and easily guessable data as a secret question and answer.

The question is not even that this information can be carefully extracted from the Internet or from close associates. Answers to questions in the style of “animal name”, “favorite hockey team” and so on are perfectly selected from the corresponding dictionaries of popular options.

As a temporary option, you can use the tactic of an absurd response. Simply put, the answer should have nothing to do with the security question. Mother's Maiden Name? Diphenhydramine. Pet name? 1991.

However, such a technique, if it becomes widespread, will be taken into account in the relevant programs. Absurd answers are often stereotypical, that is, some phrases will appear much more often than others.

In fact, there is nothing wrong with using real answers, you just need to choose the question wisely. If the question is non-standard, and the answer to it is known only to you and cannot be guessed after three attempts, then everything is in order. The benefit of a truthful answer is that you won't forget it over time.

How to set a password on a PC

Is it possible to set a password for VK on a computer? To do this, you will have to password-protect the entire system. Thus, no one will have access not only to VK correspondence, but also to other data on the PC. To restrict access to Windows, follow the instructions:

Go to Control Panel by clicking on the "Start" button in the bottom left panel.
Click on the "Accounts" section.

From the list that appears, select Sign-in Options.
Click on the create password button.
To put a password on VK on your computer, create one and confirm the action.

Now, every time you start, the operating system will require you to enter a key to log in. Accordingly, your correspondence in VK will be reliably protected.

System settings are the easiest way to set a password for VK on a PC. But there are also special programs that do not allow you to enter the site if the key is not entered. Such software includes the effective Kinder Gate utility. You can download and install it for free, after which you can enter the social network address through its settings and create a password.

Add-ons for browsers, such as: EXE Password, LockPW Free or Set password for your browser, also allow you to set a password for VK in the browser. Through the plugin settings, you should specify the path to the .exe file of the browser you are using. After this, when you start the program, a window will be displayed where you need to enter the necessary data.

If you are not the only one using the computer, then it is better to check the box next to the “Someone else’s computer” option when logging into a social network. You should also not store data in the browser cache. If it asks whether to save credentials in a pop-up window, always refuse.

Browser extensions

How to set a password only for a dialogue in VK? For this, there are special plugins for the browser that expand its capabilities. Using the most popular VK-Helper extension as an example, let’s look at how to use it:

Download and install the plugin. You can find it in the Google extension store.
After installation, the extension icon will be displayed in the top bar of the browser. Click on it.
Select "Settings" from the drop-down menu.
Find the “Set password” function among the options. Come up with it and confirm the action.

After the manipulations have been completed, when you try to open any correspondence in VK, a special window will appear that will require you to enter a password. Otherwise, you won’t be able to get into the dialogue.

Personal Identification Number (PIN) is a cheap lock to which our money is entrusted. No one bothers to create a more reliable combination of at least these four digits.

Now stop. Right now. Right now, without reading the next paragraph, try to guess the most popular PIN code. Ready?

Nick Berry estimates that 11% of the US population uses the combination 1234 as a PIN code (where it is possible to change it yourself).

Hackers do not pay attention to PIN codes because without the physical presence of the card the code is useless (this can partly justify the short length of the code).

Berry took lists of passwords that appeared after leaks on the network, which were combinations of four numbers. Most likely, the person using the password 1967 chose it for a reason. The second most popular PIN is 1111, with 6% of people preferring this code. In third place is 0000 (2%).

Let's assume that a person who knows this information has someone's bank card in his hands. Three attempts before the card is blocked. Simple math allows you to calculate that this person has a 19% chance of guessing the PIN if he enters 1234, 1111 and 0000 in sequence.

This is probably why the vast majority of banks set PIN codes for issued plastic cards themselves.

However, many protect smartphones with a PIN code, and here the following popularity rating applies: 1234, 1111, 0000, 1212, 7777, 1004, 2000, 4444, 2222, 6969, 9999, 3333, 5555, 6666, 1313, 8888, 4321, 2001, 1010.

Often the PIN represents a year (year of birth or historical date).

Many people like to make PINs in the form of repeating pairs of numbers (and pairs where the first and second digits differ by one are especially popular).

Numeric keyboards of mobile devices display combinations like 2580 at the top - to type it, just make a straight pass from top to bottom in the center.

In Korea, the number 1004 is consonant with the word "angel", which makes this combination quite popular there.

How to come up with a login

No registration on the site takes place without using a login. Login is a set of characters (letters or numbers) indicating your name on the network. The login is entered along with the password for further authorization. You need to approach the selection of a login thoroughly.

If the login will be used for work, it is advisable to indicate your real first and last name (Petr-Ivanov, Petr_Ivanov, Petr.Ivanov). Is this login already taken? Add a middle name. And this option is not available? Attach the name of the profession to the name, possibly in abbreviated form. For example: Alexei-Pirogov-PR, Vasiliy-Toropov-photo.

If you need a login for personal purposes, you can:

Come up with a login using your favorite word or phrase, the name of a famous person, character, or the name of a musical group.
Think about your hobbies and come up with a login based on your preferences in the world of art and technology.
Create a login from words of any foreign language.
Use the mirror method and print the name backwards.
Use the login generator.