Passwords, passwords, passwords.

They’re worth mentioning a few times on account of the fact that they are still so darn important.

Despite the advances in biometrics (fingerprints, vein scanning, smell-detection, iris scanning, et al), passwords are still common as muck which is a phrase which goes a long way in establishing why they are so closely lurked to the murkier personalities on the web.

The problem, as often discussed, is that we all need passwords. And probably a great many of them too. We live in an age of social media, i-this, i-that and having to sign up for accounts and unwanted newsletters in return for access. And thats just in our own time. When at work we need to remember a whole load more passwords too in order to access various systems and accounts.

So how do we cope with so many passwords?

Not too well would appear to be the answer.

Whilst a few people I know have discovered the benefits of a password manager (create complex passwords for all accounts, just remember one for the password management software itself), many others try to store all their login credentials in their head.

But they can’t.

So they forget all their tricky passwords and end up having to utilise a ridiculous amount of password reset emails. Eventually, however, that all gets a bit tedious and boring so what do they do? Well, they start using the same password for everything, merely adding different numbers on the end (sometimes). And, to make it even easier, the password they use has to be something incredible easy to remember.

You know when there is a huge data breach and, a while after, someone puts out a dump of all the commonly used passwords? All of us who have anything to do with security have a chuckle right? I mean, who in their right mind uses “password” or “123456”?

You’d be surprised!

I won’t name names for obvious reasons but I know a senior retail manager, a doctor and a barrister who each use the same password for everything. One of them uses something that continually comes up on those top 10 passwords you should never use or you’re an idiot type lists, one uses his first name and the other employs the name of his favourite football club for everything.

Madness I say.

And thats despite the fact that each is well educated, aggravated by my nagging, and individually aware of the risks anyway.

So I guess the average man in the street is either lazy, stupid, unaware or underestimates the risks of password reuse.

We have work to do!

Unfortunately, however, the same cannot be said when talking about the bad guys. Hackers, being single minded, extremely computer literate, highly gifted and acutely aware of how to hack, crack and otherwise bypass password systems would never employ lame passwords themselves.

Or so we would think.

According to Avast, the bad guys aren’t quite as savvy as you may have thought.

In a blog posting on Monday, the company’s Antonin Hyza said:

“I looked at 40,000 samples of hackers’ passwords and found that nearly 2,000 were unique and 1,255 of those were in plain text. Another 346 passwords were easily cracked from MD5 hashes, because they were shorter than 9 characters.”

Further analysis of the leaked hacker passwords allowed Hyza to hypothesise that:

“the average hackers’ password will be at a maximum six characters long, contain lower case letters and numbers and it’s derived from the English language. That was not as hard as I expected, and most of hackers’ passwords are even weaker than those that normal people use.”

Hyza discovered that the average password employed by a hacker is just six characters long which, as any security pro will tell you, is too short by a minimum of 2-3 characters, if not more.

Another password tip often given out is to mix upper and lower case letters but Avast found that the analysed passwords often failed to employ this technique too.

The hacker passwords did, however, employ numbers in many cases which is generally encouraged, in a ‘leet’ kind of way:

“Some of the passwords are created as English words but using leet speak. This is a way of writing where you use numbers that look like letters. For example, A looks like 4, I looks like 1. Using leet speak a character with letters ‘o, i, e, a, s, t’ are replaced with their equivalent 0, 1, 3, 4, 5, 7.”

Hyza also discovered that many of the analysed passwords also constituted another security no-no in so much as they used dictionary words and common phrases such as pass, root and hax.

Worse still, a noticeable number of passwords were stored in plain text.

Ouch!

So, are hackers struggling to come up with strong passwords just like everyone else? Are they having a hard time remembering them all?

Maybe.

But its far more likely that they simply don’t care and The Verge has some thoughts on why that might be:

“Hackers could be using simple passwords because they don’t fear being attacked by fellow hackers, or simply to avoid using their real passwords for malware activities.”

Either way, Avast’s analysis should serve as a reminder that we all need to employ strong passwords for each and every account that we have, whatever the colour of our hats or, indeed, whether we wear one or not.