Take a look at the list of the worst passwords of 2016 and you would be forgiven for thinking you are looking at the worst password list for 2015. Or 2014 for that matter. Little appears to have changed year on year, even though the risk to network and data security from the use of weak passwords is considerable.
Every year, SplashData compiles a list of the worst 25 passwords of the year. 2017 is the sixth consecutive year when the company has produced its list. Given the number of largescale data breaches that occurred in 2016, it would be reasonable to assume that organizations would take a proactive step and introduce restrictions on the passwords that can be used to secure corporate networks, computers, and email accounts. Many still don’t. It is still possible for end users to use passwords with no capital letters (or no letters at all), no symbols, and consecutive number strings are still permitted.
Should a hacker attempt a brute force attack – attempting to gain access using an automated system that guesses potential password combinations – a weak password would allow access to be gained incredibly quickly.
If any of the passwords from the list of the worst passwords of 2016 were used, it would be like there was no password required at all. How quickly can a hacker crack one of these passwords? According to Random ize, most of the passcodes on the list of the worst passwords of 2016 could be guessed in under a second. BetterBuys is more pessimistic, claiming most could be guessed in about 0.25 milliseconds.
To compile its list, SplashData scraped data dumps that included passwords. 2016 saw a great deal of data published on darknet sites by cybercriminals that had succeeded in breaching company defenses. For its list, SplashData analyzed more than 5 million credentials, most of which came from data breaches in North America and Europe.
The most commonly used password in 2016 was 123456, as it was in 2015. Password was the second most common password in 2016. There was no change in the top two worst passwords even though cybersecurity awareness has increased. As we saw last year, even John Podesta, chairman of Hillary Clinton’s 2016 presidential campaign, allegedly used a variation of the word password to “secure” his accounts. That poor choice clearly demonstrated that the use of poor passwords offers very little protection against hackers.
The worst password of 2016 was used on an incredible 4% of user accounts, and almost as many individuals used password. SplashData says around 10% of individuals use a password that was on the list of the 25 worst passwords of 2016.
Some individuals have got clever, or so they think. They use a variation of ‘password’. However, password1 and passw0rd are barely any better. The small change would not delay a hacker by any noticeable degree. Hackers are well aware of the use of numbers to replace letters and other techniques to make passwords more secure, such as adding a digit to the end of a word. – Password1 for example.
SplashData’s List of the Worst Passwords of 2016
- 123456
- password
- 12345
- 12345678
- football
- qwerty
- 1234567890
- 1234567
- princess
- 1234
- login
- welcome
- solo
- abc123
- admin
- 121212
- flower
- passw0rd
- dragon
- sunshine
- master
- hottie
- loveme
- zaq1zaq1
- password1
If you were wondering how the list has changed year on year, take a look at last year’s list and you will see a number of similarities.
List of the Worst Passwords of 2015
- 123456
- password
- 12345678
- qwerty
- 12345
- 123456789
- football
- 1234
- 1234567
- baseball
- welcome
- 1234567890
- abc123
- 111111
- 1qaz2wsx
- dragon
- master
- monkey
- letmein
- login
- princess
- qwertyuiop
- solo
- passw0rd
- starwars
In order to make it harder for hackers, complex passwords should be chosen. Passwords should be at least 9 characters, contain numbers, letters (lower and upper case), and symbols. They should not be words, although pass phrases of 15 or more characters would be acceptable. Passwords should also be changed frequently. The use of a password manager is recommended to ensure that these complex passwords can be remembered.