"The puppy's name can be whatever you want", the father in the Bizarro comic tells his son, "but make sure it is something memorable. You'll be using it as a security question answer for the rest of your life."



Unfortunately the name given to the dog - say, Poppy - may or may not have been encrypted when it was leaked among details of 500m Yahoo accounts, which included the answers to security questions about first pets. The dog's name was probably also used as a password at some point as people often use pets' names - maybe with a couple of numbers at the end.



"Poppy95" is not a secure password but it is fairly typical and it illustrates an uncomfortable fact: our crummy password construction is predictable. And with large breaches of popular websites, hackers are getting to know us better than ever.



People often pick animals ("monkey"), keyboard patterns ("zxcvbn"), dad jokes ("letmein"), sports teams ("liverpool") and angst ("whatever"). All proved popular with users of the adultery site, Ashley Madison, hacked last year. In case you are thinking only adulterers use weak passwords, many of these also showed up in a leak from the Last.fm music service which surfaced more recently.



Both breaches - estimated at about 30m-40m each - are dwarfed by the 164m LinkedIn and 360m MySpace accounts that appeared in May.



Passwords are valuable to hackers in a couple of indirect ways. First, most people - about 60 per cent by some estimates - reuse passwords. This means the login details from one site can be tried out on more valuable sites - financial accounts, for example, or people's work. And, combined with details such as previous addresses obtained from a retailer and a date of birth from the Yahoo hack or Facebook, they may be used to obtain credit fraudulently.



Second, the data sets can be added to "dictionaries" comprising actual dictionaries, tens of thousands of books and all of Wikipedia, which can be used to crack passwords.



If you are thinking: "I may use the same base password but I change it a bit for different websites", well, I have a research paper for you. A group from the University of Illinois at Urbana-Champaign and elsewhere looked at the often simplistic changes people make. Using passwords for the same users from different leaks, they were able to guess almost a third of the transformed passwords within 100 or fewer attempts. Popular changes involved two to three appended characters. Keyboard sequence changes, capitalisation changes and "leet speak" - changing s to $, say - were also common.



Unfortunately, password strength meters aren't much help as they underestimate hackers' understanding of users' habits.



In an ideal world, website owners would strengthen their own security to protect users. But if their customers use weak passwords - or reuse strong ones on other, less secure sites - there's only so much they can do.



There is some encouragement to be had, though. University researchers from Pennsylvania tested whether people could correctly identify the more secure password among pairs, where "security" is "guessability" using cracking tools. Participants did reasonably well - identifying the benefits of capitals, digits and symbols in the middle of a password, and avoiding names.



However, they also overestimated the usefulness of appending digits, incorrectly selecting "astley123" as more secure than "astleyabc". The former is easier to crack because of the pervasiveness of the pattern of appending digits - hence the problem with the variant of Poppy's name.



Participants also "underestimated the poor security properties of building a password around common keyboard patterns and common phrases". They wrongly believed that "iloveyou88" is stronger than "ieatkale88" (which frankly seems like an excellent name for a dog).



The researchers concluded that such misunderstandings, and poor password choices generally, stem from an underestimation of the risk of potential attacks and a lack of knowledge about how dangerously common certain construction techniques are. Which is not surprising, they note, as we don't often see one another's passwords. Unfortunately, hackers do.