Want to hack into someone’s account but don’t know that person's password? Try "123456." If that doesn’t work, just try "password." Sounds too easy, right? Well, those are the top two entries on SplashData’s fifth annual “Worst Passwords List.” The two easy-to-guess credentials have remained the two most common passwords since at least 2011.
It appears that users continue to create passwords with simple combinations of numbers. In fact, six of the 10 most common passwords this year consisted only of numbers, according to SplashData. And if you think you’re being clever by using “leetspeak," i.e., combinations based on keyboard patterns, guess again: both "passw0rd" and "qwerty" appeared on this year’s top 10 list.
A New Hope
“We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers,” said Morgan Slain, CEO of SplashData, in a statement.
That means passwords based on keyboard arrangements, such as "1qaz2wsx" or "qwertyuiop" (the first two columns and top row of the standard keyboard, respectively) put users at just as much risk as simpler passwords.
Using your favorite sport or pastime as the basis for your password is also a bad idea. Both "football" and "baseball" were among the top 10 most common passwords last year. Other simple passwords debuting on the list this year were "welcome" and "login."
Even fans of science fiction are likely to fall victim to weak passwords. This year, "starwars," "solo," and "princess" were all among the 25 most commonly used passwords, likely thanks to the anticipation for the recently released Star Wars movie.
“As we see on the list, using common sports and pop culture terms is also a bad idea,” Slain added. “We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different Web sites.”
Making a Better Password
SplashData, which provides password management applications to businesses and consumers, compiled its list from the more than 2 million passwords that were leaked online last year. Although some passwords were longer in 2015 than in previous years, as long as they remain easy for hackers to guess, users will continue to put themselves at risk, according to SplashData.
The company offered three tips to users help users ensure that their passwords remained secure. First, users and enterprises should always use passwords that are at least 12 characters long and consist of a mixed set of characters, such as letters, numbers, and punctuation marks. Second, users should avoid reusing the same passwords for multiple sites.
SplashData also recommended that people use a password manager to generate new, random passwords for every site. But this too can be a problem: recently it was revealed that popular password manager LastPass was vulnerable to hackers, potentially putting even the most conscientious users at risk.