The 25 Worst Passwords of 2015 Will Convince You of the Reality of Security Through Obscurity …
… because people sure as heck aren’t securing their accounts any better than they were last year.
Password management firm SplashData released its annual "Worst Passwords List" this week, once again confirming that people are bad at choosing passwords.
For its fifth annual report, SplashData combed through the more than two million passwords leaked in the past year and complied a list of the most commonly used terms.
"Password" and "123456" continued to top the list, with other numeric series, sports, and obvious patterns taking most of the rest of the places. In fact, this year’s list looks very similar to the last one, although there are a few additions.
"1qaz2wsx" and "qwertyuiop" are debuting on the worst of list for the first time, and the list also shows the impact of all the Star Wars advertising ("solo", "princess", and "starwars"). Several others that weren’t on the 2014 list include “welcome,” “login” and “passw0rd" (with a zero in place of the letter "o"). Changing that "o" in password to a zero might seem clever, but a lot of people had the same idea. And the same is probably true for "pa55word" which did not make this year’s list.
“We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers,” said Morgan Slain, CEO of SplashData. “As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.”
If you see one of your passwords on the list, you might want to consider changing it or, better yet, getting a password manager. And if you need suggestions, xkcd has a few tips on how to choose a password which is both easy to remember and long enough that it is secure. There are better options than this, I think:
On the other hand, if you have a weak password attached to a throwaway or otherwise low-risk account, is it really worth the bother to change?
1 – 123456 (unchanged from 2014)
2 – password (unchanged)
3 – 12345678 (Up 1)
4 – qwerty (Up 1)
5 – 12345 (Down 2)
6 – 123456789 (Unchanged)
7 – football (Up 3)
8 – 1234 (Down 1)
9 – 1234567 (Up 2)
10 – baseball (Down 2)
11 – welcome (New)
12 – 1234567890 (New)
13 – abc123 (Up 1)
14 – 111111 (Up 1)
15 – 1qaz2wsx (New)
16 – dragon (Down 7)
17 – master (Up 2)
18 – monkey (Down 6)
19 – letmein (Down 6)
20 – login (New)
21 – princess (New)
22 – qwertyuiop (New)
23 – solo (New)
24 – passw0rd (New)
25 – starwars (New)
SAD January 20, 2016 um 3:04 am
It’s worth pointing out that strong passwords will never make it to a top 25 (or even top 1000000) list. By virtue of their uniqueness they can never become popular enough for that. As such, the list tells you NOTHING about the overall password building habits and will ALWAYS give you roughly the same impression.
Richard Adin January 20, 2016 um 4:37 am
One of the problems with strong passwords is that not every site will accept it. I have a password that is rated as being strong and I tried to make it a universal password so I could remember it. A third to half of the sites where I wanted it wouldn’t accept it and various reasons were given. The same is true as regards a username.
Gary January 20, 2016 um 10:45 am
I make acronyms of song lyrics, poems, or other quotations and use them for passwords. For example, "I set fire to the rain, Watched it pour as I touched your face" becomes Isf2tr,WipaItyf
Note that I have never used this particular song lyric as the basis for a password. It is only an example of how my 'system' works. The quotes I actually use are more obscure than recent, world-wide, hit songs.
Although I can’t actually remember the letters in one of my passwords, I can remember the quote that I used, and I can recreate the password from memory when I need to type it in.
SAD January 21, 2016 um 3:28 am
Gary, your passwords would be stronger if you just used entire quotes instead of shortening them to acronyms (and thus making them easier to brute-force). Of course they would take longer to type then.
Nate Hoffelder January 21, 2016 um 7:23 am
"they would take longer to type"
Not necessarily. Typing a memorized phrase like a text-based password can probably be handled by muscle memory, while short gibberish string would require finding each character one by one.
Gary January 21, 2016 um 1:59 pm
Please correct me if I am wrong, but my theory is that a fifteen letter acronym is exactly as hard to brute force as any other fifteen letter string. So, Isf2tr,WipaItyf is no different than Isetfiretothera.(Except that in the acronymn I changed 'to' to '2' and included the comma, which I think makes it harder to brute force than fifteen letters.)
Of course, using the entire quote, which is 49 characters long without counting spaces, is much better, but most sites won’t let you use such a long password.