It’s that time again, where, with the new year ahead, we make resolutions to better ourselves, and look back on the past year and face just how bad we really were….at coming up with strong passwords.
On December 19th password management provider SplashData released the 2017 edition of its “Worst Passwords of the Year” list.
The results? Just as awful as we’ve come to expect.
The list was put together through an analysis of more than five million passwords leaked in 2016’s biggest breaches. We should note that usernames and passwords from Yahoo’s massive 3 billion user breach were not included in the research, as the breach took place in 2013, though full disclosure didn’t come until recently.
The winner of Worst Password of the year is, for the seventh year in a row…. Drumroll please… “123456”!
"That's the kinda thing an idiot would have on his luggage!"
As in years past, simple, numerical passwords remain the most common, with variations on the count-to-ten theme taking 5 of the top ten spots.
Another classic hit, “password” came in hot in second place.
Sports were also a popular theme, with "football" coming in at number nine, and His Airness showing up twice, with "jordan23" in 27th place and "jordan" in 33rd.
Here are the 25 worst passwords on SplashData’s 2017 list:
How can we improve password security?
So there you have it... pretty bad. But we can do better. We have to, if we ever want to stop the deluge of hacks and attacks in the headlines. So how do we fix this?
Here are a few tips:
- Use longer pass-phrases, where possible. The longer the better. In the past, it was considered a best practice to use special characters, upper-case letters, and numbers, but as it turns out, that was bad advice. The fact is that short, complicated passwords are hard for a human to remember--and easy for a computer to guess. On the other hand, a long, pass-phrase, such as "whyareallofourpasswordssodangawful" is much harder for a computer to guess, but easier for a human being to remember.
- Enable multi-factor authentication (MFA). This connects your password with another factor of authentication, usually something you physically have, such as a cell phone. That way, if your password is compromised, you'll be prompted to authenticate on the secondary device when an unknown device tries to access your accounts.
- Use a password manager. It's common to have dozens of username and password combinations, and that's just for personal accounts. Add work accounts to the mix, and it can be downright impossible to remember everything, which is why passwords are so often reused. Luckily, there are a variety of free password managers available, which can remember your passwords for you, and even generate and store complex passwords for important accounts.
- Don’t use the same password over and over again on different websites. This one's important. Data breaches are so commonplace these days that there are entire databases of login credentials for sale on the dark web. For example, any password you used for LinkedIn prior to 2012, or Yahoo! prior to 2014, is likely compromised. It's imperative to use unique passwords for any account that you don't want hacked.
We’d like to think that users will follow these tips, but in all likelihood they’ll probably respond with the 23rd worst password, “whatever,”or maybe even password #52 (we’ll let you look that one up on your own).