Have you ever tried to create or type a password for a streaming service directly on your TV screen? If so, you know how clumsy it is. Using a remote control to hunt and peck each character is such a maddening process that you may be tempted to use a short and simple password. But that's not a good idea.
Cybercriminals look for weak and insecure passwords not just across PCs, mobile devices, and websites but on streaming services. That includes the passwords you create on your TV or streaming box and those you may share with family, friends, and other people who use the same service.
To illustrate the temptation toward creating short, simple, and weak passwords, password manager NordPass looked at the 200 most common passwords used by people around the world. For the fifth edition of this annual report, NordPass found that individuals still turn to the weakest possible passwords despite the risks of malware, theft, and account compromise.
The top 10 passwords overall were:
The password '123456' has held the top spot four times out of the past five years, a sign that people continue to rely on this simple stream of characters. Most of the other passwords are variations on the same theme. Regardless of which password people use, all of these top ten could be cracked by a hacker in less than a second.
The results were actually worse for passwords used for streaming services. The 10 most common passwords for streaming platforms were:
"We've noticed that streaming passwords are, on average, weaker," NordPass chief technology officer Tomas Smalakys told ZDNET. "I could only assume that it's because people tend to share them, therefore create easier ones to remember, as well as the reason that they have to type it on a TV."
Using weak passwords for streaming services is problematic as they're easy prey for malware capable of stealing personal information, Smalakys said. Malware can capture a lot of data saved in a person's browser, such as usernames, passwords, and email addresses. But other details are just as vulnerable, including saved browser credentials, browser cookies, browser autofill data, and credit cards saved in the browser.
To compile the list of passwords, NordPass worked with independent cybersecurity researchers. Together, they analyzed a 4.3TB database taken from public sources, including those on the dark web. They also evaluated a 6.6TB database comprised of passwords stolen by different malware strains, such as Redline, Vidar, Taurus, Raccoon, Azorult, and Cryptbot. The malware logs contained not just passwords but the source websites so that hackers knew which users and which sites to target.
So how can people create more secure passwords and protect their streaming accounts and other services from compromise? Smalakys offers a few pieces of advice.
"I'd recommend setting up 2FA (two-factor authentication), if your streaming service allows this option," Smalakys said. "Also, try out alternative authentication methods. The majority of streaming services allow logging in by users scanning a QR code with their phone. If not, I'd still recommend setting up long and random passwords -- a couple of minutes of a person's time is definitely worth spending to stay secure."
Passkeys are slowly catching on as a more secure and simpler alternative to passwords. Companies such as Amazon, Apple, Google, Microsoft, and Yahoo now support passkeys. However, until more websites allow for this passwordless type of authentication, your best bet is to use a password manager. But the method you use to manage your passwords makes a big difference.
Smalakys advises against saving passwords in a browser and instead recommends that people use a dedicated password manager. Both types can store passwords and encrypt them end to end, he said. But the difference lies in how the password vault is protected. To safeguard your credentials, browser password managers and dedicated password managers both create private keys stored on the client side and public keys stored on a server. But password managers go a step further.
"What's really important is that password managers also encrypt a private key upon creation of a master password (most browser password managers do not have a master password)." Smalakys explained. "Therefore, if a hacker installs malware on your device, they can acquire the private key and access vault contents stored in the browser password manager. With password managers, even if a hacker acquires a private key to the user's vault, it will be encrypted and thus not usable."