SplashData’s annual list of the worst (worst meaning most commonly used, therefore the least secure) passwords has been released and it reveals that computer users are STILL using weak, easy-to-guess combinations to protect their accounts.
For the 2nd year in a row, “123456” is in the top spot of worst passwords, followed (again) by “password”.
This list is created by SplashData through an analysis of more than 5 million leaked passwords from 2017. They were primarily held by users in North America and Western Europe. SplashData estimates that almost 10% of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3% of people have used the worst password, 123456.
While many of the weak passwords on the list remained the same, the most notable addition is “starwars”, debuting at #16. Clearly based on the popularity of the release of the movie, it’s a poor choice as a password because hackers also follow pop culture and can easily guess this one.
This list also reveals that making minor tweaks to common passwords – like changing a zero to an “o” or adding a couple of digits – isn’t enough. These changes are equally easy to guess.
Keyboard adjacencies like “qwerty” are also weak, as are sports-related passwords or really, any word that can be found in the dictionary and therefore be plugged into a password cracking tool.
Here are the top 25 worst passwords:
1 - 123456 (rank unchanged since 2016 list)
2 - password (unchanged)
3 - 12345678 (up 1)
4 - qwerty (Up 2)
5 - 12345 (Down 2)
6 - 123456789 (New)
7 - letmein (New)
8 - 1234567 (Unchanged)
9 - football (Down 4)
10 - iloveyou (New)
11 - admin (Up 4)
12 - welcome (Unchanged)
13 - monkey (New)
14 - login (Down 3)
15 - abc123 (Down 1)
16 - starwars (New)
17 - 123123 (New)
18 - dragon (Up 1)
19 - passw0rd (Down 1)
20 - master (Up 1)
21 - hello (New)
22 - freedom (New)
23 - whatever (New)
24 - qazwsx (New)
25 - trustno1 (New)
You can see (and download) the full list of 100 here.
How Not to Have a Terrible Password
We get it. When a login is required for everything from your bank account to your kids’ progress reports to your fitness tracker, it quickly becomes overwhelming.
It’s been estimated that the average person is managing 27 different online accounts and here we are strongly recommending that you have a unique login for every single one of them. (Source: Intel)
And if you’ve never been hacked (or you have, but you don’t realize it) or have that “it will never happen to me” mindset, then it’s easy to understand why it’s easiest to just use “password” as the password for all of your accounts and call it a day. After all, then you avoid becoming a part of the 37% of computer users who forget a password at least once a week.
The problem is that in this digital age, sticking your head in the sand isn’t good enough. It’s going to catch up with you one day.
So what can you do?
For starters, if your password appears on this "worst" list, then run – don’t walk – to your computer and update it to something that doesn’t.
Beyond that, here are a few articles that provide more tips and information on how to have a strong password:
- Password Best Practices for Business
- Realistic Password Security Solutions
- The Trouble with Passwords...
If you don’t have time to read through those though, it can be summed up as:
- Use a long (at least 12 characters) alpha-numeric password or passphrase that includes upper and lower case letters
- Don’t take an easy to guess word and just substitute a zero for the “o”, or an ! for the l, or an @ for the a – hackers (and password cracking tools) can guess these tricks too
- Don’t use personal data like your birthdate, pet’s name or SSN as your password
- Use a unique password for each account…or at minimum, apply a tiered system that ensures that your bank account password is as secure as possible and not the same as your Target account
- Change your password on a regular basis
- Whenever possible, enable multi-factor authentication as an additional layer of security
- Don’t share your login credentials with anyone, and if you have to write them down, store them in a private location
Create a Culture of Cyber-Awareness
One last tip: get cyber-aware.
Knowing WHY strong passwords matter can make a big difference. And as a business leader, you need to make sure that all of your end-users understand the risks they are facing every time they log on. That extends beyond better passwords to understanding phishing, keeping your software and systems up-to-date and having good data backups management.
Having strong passwords is just one part of a good network security strategy, but it is one that end-users continue to fall short on. Let's make 2018 the year that the use of "password" as a password (and all of the worst passwords of 2017) comes to an end!