Password management company SplashData has released its fifth annual list of the top 25 worst passwords. The annual roundup of terrible password ideas is dominated by old favorites like “123456” and “password,” but plucky upstarts like “solo” and “princess” also managed to make the list. It should go without saying that nobody should actually use any of these passwords, but for some reason it doesn’t.
Each year, SplashData combs through reams of leaked password data in an effort to show us the strange ideas that so many people have about what makes for a good password. This time around, the California-based password management company had access to 2 million passwords, which were obtained from various hacks and leaks that occurred throughout the year. Topping the list was heavy favorite “123456,” which has held the top position every year since SplashData started releasing these lists in 2011.
The number two worst password in the list of the top 25 worst passwords of 2015, also unchanged since 2011, was “password.” It isn’t exactly clear who, in the year 2015, would still think that “password” is a good password, but apparently there are enough of them out there to make the list, again, for the fifth year in a row.
Although “123456” and “password” may be easy to remember, they’re also terribly insecure.
Experts recommend longer passwords, which are inherently more difficult to guess or break through brute force, and new additions to the 2015 list indicates that people have gotten the memo. Unfortunately, they’re still being tremendously lazy about it. Although “1234567890” made the list for the first time, and it is a respectable 10 characters in length, it isn’t really any more secure than old favorites like “123456” and “qwerty.”
“We have seen an effort by many people to be more secure by adding characters to passwords,” SplashData CEO Morgan Slain said via press release. “But if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers.”
Another newcomer to the list is “1qaz2wsx,” which might look good at first glance, but a second glance should reveal the problem. Although some may feel they are being clever by using columns instead of rows, “1qaz2wsx” is no more secure than “qwertyuiop.” According to SplashData, both approaches qualify as “simple patterns” that are easily guessed by hackers.
Although the appearance of longer passwords on the list is one new trend that is at least a good thing in theory, another pattern emerged that has no redeeming value at all. Here is the 2015 list of the top 25 worst passwords, in all its glory. See if you can spot the new trend.
- 123456 (No change)
- password (No change)
- 12345678 (↑ 1)
- qwerty (↑ 1)
- 12345 (↓ 2)
- 123456789 (No change)
- football (↑ 3)
- 1234 (↓ 1)
- 1234567 (↑ 2)
- baseball (↓ 2)
- welcome (New)
- 1234567890 (New)
- abc123 (↑ 1)
- 111111 (↑ 1)
- 1qaz2wsx (New)
- dragon (↓ 7)
- master (↑ 2)
- monkey (↓ 6)
- letmein (↓ 6)
- login (New)
- princess (New)
- qwertyuiop (New)
- solo (New)
- passw0rd (New)
- starwars (New)
The Star Wars hype game was strong in 2015, and apparently it bled over into terrible password choices. Rounding out the bottom of the list, “princess” at number 21, “solo” at number 23, and “star wars” at 25 should remind us why plumbing our favorite works of fiction for important passwords isn’t a very good idea, unless enough entropy is introduced to the equation.
Speaking of entropy, which is a measure of password strength, replacing the “o” with a “0” in “passw0rd” isn’t going to cut it, but at least that’s trending in the right direction.
One of the ways that companies attempt to protect us from ourselves is to force the use of numbers in passwords, or to force the selection of a strong password that passes muster in terms of entropy, but that often leads to the creation of stinkers like “1qaz2wsx” that look random but aren’t. One way to actually select a strong password that gets tossed around a lot is XKCD’s “correct horse battery staple” method, and there are even services out there that will generate such a password for your use.
— Bill Perrin (@BillPerrin) January 19, 2016
Another way to approach password security is to use truly random strings of letters, numbers, and special characters that no average person could hope to actually memorize, let alone guess. This type of password is best paired with a password manager, which is the business that SplashData is in, bringing things full circle. Password managers essentially allow you to go crazy creating strong passwords without worrying about remembering them, since you only have to remember the password for the manager itself.
Have you ever used anything from the list of the top 25 worst passwords of 2015, or do you know someone who has?
[Image via Shutterstock]