With all the data breaches in 2014, you would think folks would be a little more careful. But SplashData’s Annual "Worst Passwords" list reveals that people are just as lax about password security as ever. SplashData compiled over 3.3 million passwords leaked in 2014 to offer insights on password security dos and don’ts.
In SplashData’s annual list of the 25 most common passwords found on the Internet -- which qualifies them as the "worst passwords" because they expose those who choose them to hackers and identity thieves -- 123456 and "password" maintain the top spots. Other passwords in the top 10 include qwerty, dragon, and football.
"Passwords based on simple patterns on your keyboard remain popular despite how weak they are," said Morgan Slain, CEO of SplashData. "Any password using numbers alone should be avoided, especially sequences. As more websites require stronger passwords or combinations of letters and numbers, longer keyboard patterns are becoming common passwords, and they are still not secure."
Swear Words and Hobbies
According to SplashData, simple numerical passwords remained common in 2014. Nine of the 25 passwords on the 2014 list contain only numbers. But there are some firsts on this year’s list, including include 696969 and batman. By contrast, iloveyou is one of the nine passwords from 2013 to fall off the 2014 list.
SplashData's list of frequently used passwords reveals too many people are putting themselves at risk by using weak, easily guessable passwords, like keyboard, monkey, and baseball. The top 100 worst passwords also include swear words and phrases, hobbies, famous athletes, brands, and film names.
"The bad news from my research is that this year's most commonly used passwords are pretty consistent with prior years," Burnett said. "The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2 percent of passwords exposed. While still frightening, that's the lowest percentage of people using the most common passwords I have seen in recent studies."
We turned to Graham Cluley, an independent security analyst, to get his take on this year's survey. He told the findings are pretty depressing.
"People are still using dumb, easy-to-remember passwords when they should be using unique, complicated, hard-to-remember passwords," Cluley said. "The trick is not to even try to remember your passwords yourself, but instead to use a password manager that does all the remembering for you. I don't know my e-mail, Twitter, website passwords... and I'm proud of the fact!"
In terms of practical advice, SplashData suggests users should avoid a sequence such as "qwertyuiop," which is the top row of letters on a standard keyboard, or "1qaz2wsx," which is the first two columns of numbers and letters on a keyboard. The company warns against using your favorite sport or team as a password, as well as your birthday -- especially your birth year.
While baby name books are popular for naming children, SplashData said they should not be used as sources for picking passwords. Common names such as Michael, Jennifer, Thomas, Jordan, Hunter, Michelle, Charlie, Andrew, and Daniel are all on the list of the top 50 worst passwords.
What should you do? SplashData says to use passwords of eight characters or more with mixed types of characters, avoid using the same username/password combination for multiple websites, and use a password manager such as SplashID to organize and protect passwords, generate random passwords, and automatically log into websites.
Posted: 2015-01-22 @ 4:59am PT
Long and complex passwords are as easy to brute-force than short and simple ones. They only make users' lives miserable. Password-dependent authentication mechanisms should be reversed and replaced.
Reversed: use two-factor auth mechanisms and other methods based on the server knowing the users rather than based on the user knowing something stored on the server.
Replaced: require cryptographically signed signatures instead of password. A crypto signature is like a 1024 to 4096 characters long password and can be stored on the devices in a much safer way than users store passwords anyway.