It would appear that people still suck at creating passwords. If you look at this annual list of the top 25 most commonly used passwords from SplashData, you’ll see what I mean.
Photo by Sergay Nivens
Every year, security application and services company SplashData complies a list of the millions of stolen passwords that were made public over a 12-month period. According to the data collected, “123456” and “password” were the most popular passwords used last year. This remains unchanged from 2014.
Going down the list will make you lose faith in humanity. You’d think that after years of being told not to use common words or sequential characters as passwords that most people would get the message that these types of passcodes makes them more vulnerable to hacking and identity theft.
Here’s the full list:
1. 123456 (Unchanged)
2. password (Unchanged)
3. 12345678 (Up 1)
4. qwerty (Up 1)
5. 12345 (Down 2)
6. 123456789 (Unchanged)
7. football (Up 3)
8. 1234 (Down 1)
9. 1234567 (Up 2)
10. baseball (Down 2)
11. welcome (New)
12. 1234567890 (New)
13. abc123 (Up 1)
14. 111111 (Up 1)
15. 1qaz2wsx (New)
16. dragon (Down 7)
17. master (Up 2)
18. monkey (Down 6)
19. letmein (Down 6)
20. login (New)
21. princess (New)
22. qwertyuiop (New)
23. solo (New)
24. passw0rd (New)
25. starwars (New)
SplashData has some advice for creating safer passwords, with the most obvious tip being to avoid all of the passwords on the list:
- Use passwords or passphrases of 12 characters or more with mixed types of characters
- Avoid using the same password over and over again on different websites
- Use a password manager to organise and protect passwords, generate random passwords and automatically log into websites. (See Lifehacker Faceoff: The Best Password Managers, Compared).
Comments
17 responses to “The 25 Most Commonly Used Passwords Of 2015 Will Depress You”
hunter2 is clearly the best password ever and has never been in any of these lists.
Nah, must be t0psecret – see what I did with the zero there? That’ll confuse ’em!
For banks and other high-security sites you can use t0p5ecret. Locks it down HARD!
it’s T0p$e(re7
Why are you just typing asterisks?
Are you hunter2ing my hunter2?
Just use Password. The capital letter clearly makes it that much more secure…
So the top ten for 2015 is basically the same top ten for the last thirty or forty years, eh?
1qaz2wsx Seems random to me unless I’m missing something?? To me it is just random numbers and letters…….
Look at where each key is on your keyboard. Notice a pattern?
Ahhhhh , well I guess my hacking career is over before it started…….
I’m not concerned by long passwords, unless your password is AAAAA or AAAAC, or your password is a glass window:
http://i1.theportalwiki.net/img/c/c8/Wheatley_sp_a1_wakeup_hacking08.wav
Security experts could probably be a bit more reasonable before eyerolling at passwords, though.
Seriously, I did a tally of all the miscellaneous websites, utilities, government agencies, service providers, entertainment media and basically every company that requires me to have a unique password for their specific systems and I reached OVER SEVENTY before deciding that this was fucking madness and a waste of time. And that’s just personal, not work.
All the security guidelines we have at work say that passwords should be unintuitive and difficult to remember, but also not written down anywhere, unique across systems, changed every 30-90 days, and not mere iterations of numbers in a series of otherwise identical passwords. For literally hundreds of systems.
Some security-conscious types recommend using key-collection systems which combine all-in-one, because putting all your eggs in one digital basket is sooooo much safer than writing them down somewhere… and not at all a catastrophic loss of identity if misadventure or technical failure causes you to lose access. Especially if you’re able to whine loudly enough to get your access back, the way a social engineer totally wouldn’t think to.
Security people need to get reasonable. We can only be expected to do so much.
Like, say: a combination of letters and numbers that isn’t someone’s friggin’ birthday. Maybe a handful of unique passwords, separated into tiers by use.
(Eg: Tier 1: Financial shit you control tightly and take fucking seriously, Tier 2: Personal shit you care about, Tier 3: Work, and Tier 4: personal shit you don’t care about and pretty much sacrifice to the gods of marketing, spam, and social media.)
Passwords can be hard to crack but easy to remember, just use a phrase instead with a few rules such as substitute s for 5, o for 0, i for 1 and use at least one proper noun. It’s much easier to remember a 40 or 50 character phrase with a consistent rule applied over
I like random lines from classic literature like Shakespeare or Chaucer (including the act or stanza number and line number) is a great source for passphrases because medieval English and Old English are not commonly used and words are often misspelled compared to modern English but can be easy to remember for a book nerd like me!
Comeback 2016, trust no one.
There should be laws past that prevent sites from making up their own complexity requirements.
The password “skldfj#*$jwje90895mlioveS{RLF_nvuweir mnujnsupr9023fmncv-HJGH&Y^” should be acceptable to any site. If you operate an application or website that would not accept that password SHAME ON YOU.
It’s surprising the number of sites (like banks) with requirements like: “Your password must be between 8 and 10 characters, include a capital letter and a number, symbols are disallowed”
Also, the need to change passwords is bunk, it only forces users to append some variation of the year, month or numeric increment onto their standard password, write it down, or reset it every time they login. Passwords need to be changed when the password database is compromised.
Given that an 8 character complex password like P@ssw0rd takes about 30 seconds to crack, changing your password every 90 days offers no additional security whatsoever.
The problem though is:1) the database administrators may not necessarily know that the passwords have been compromised
2) there has been such a great track record of people being told in a timely manner.
P@$$w0rd… no one is every going to guess that one
My favourite password is *********
My second is *********
But my most secure? oh, well it’s ***********
Feel free to try it out guys 😉