28.12.17

The worst passwords of the year revealed

Need a New Year’s resolution? How about this one?
Start taking password security more seriously.
New research released by SplashData reveals that many people are still making woefully poor decisions when it comes to the passwords they use to secure their online accounts.
As we all know, passwords often leak out onto the internet – which is clearly bad news for the people who own the accounts, and good news for malicious hackers who want to break into them.
But another group who find leaked password databases fascinating are the security researchers interested in shining a light on the sometimes (poor) choices made by regular internet users when choosing a password.
SplashData’s chart of most commonly-chosen passwords (which thus makes them some of the very *worst* passwords you can choose) is based upon its examination of over five million passwords leaked by hackers.
Truth be told, a lot lot more than five million passwords were grabbed by hackers in the course of 2017, but it’s still a helpful indicator of just how reckless computer users can be online.
Here’s a list of the top (ie worst) 30 passwords:
1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. letmein
8. 1234567
9. football
10. iloveyou
11. admin
12. welcome
13. monkey
14. login
15. abc123
16. starwars
17. 123123
18. dragon
19. passw0rd
20. master
21. hello
22. freedom
23. whatever
24. qazwsx
25. trustno1
26. 654321
27. jordan23
28. harley
29. password1
30. 1234
Passwords like these are not only easily guessable, they’re already in the password-cracking databases of any hacker worth his or her salt, alongside millions of other popular choices and dictionary words.
If you, or someone you know, is using any of the passwords above online then you need to take a long hard look at yourself in the mirror. The good news is that better password security is not a hard resolution to keep, and with the right tips you have a much higher likelihood of achieving your goal than you will making the most of your gym membership.
I believe that the vast majority of computer users would benefit from running a good password manager – a program that not only securely stores your passwords, but can also generate hard-to-guess, complex passwords when you create an account on a website.
But maybe websites need to buck their ideas up as well. Not only do more websites need to do a better job of securing sensitive information (such as password databases) but they could also be more diligent in rejecting easy-to-crack passwords like those listed above or regular dictionary words.
For instance, wouldn’t it be great if more sites blocked passwords that are frequently used, have been exposed in past data breaches, or if they at the very least *warned* users that they might be choosing a potentially unsafe password? Troy Hunt’s HaveIBeenPwned service makes hundreds of millions of passwords available for download for precisely this purpose. For advice on how the data might be best used to defend your website’s users – be sure to check out his blog post.
Additionally, I’d love to see more website administrators make a New Year’s Resolution to look into implementing two-factor authentication (2FA) – so even if login credentials do fall into the wrong hands, they won’t be enough by themselves to allow a hacker to break into an account.
Chances are that if you’re a regular reader of We Live Security you have heard a lot of this advice before, and may even have (hopefully!) put it into practice. If that’s the case, give yourself a pat on the back – but realise that you have your own special New Year’s Resolution…
… and that’s to spread the word. Tell your friends, colleagues, and loved ones how they can better defend themselves online by choosing complex, hard-to-guess, hard-to-crack passwords, and explain to them the benefits of two-factor authentication.
Wishing you a happy, and safe, new year.