New year, new you: Time to change those passwords

According to the fifth annual report by SplashData, the average person hasn’t changed their tune when creating passwords, and most of us certainly haven’t learned since last year. The report listed the Top 25 Worst Passwords of 2015, compiled from a list of over 2 million leaked passwords from 2015.

The top two worst passwords of 2015–“123456” and “password”–remain unchanged from 2014. They are followed by simple combinations from the standard keyboard and common words or phrases, especially words relevant to 2015 (think Star Wars).

Here is the full list of SplashData’s 25 Worst Passwords of 2015.

   1. 123456                     2. password                        3. 12345678                     4. qwerty

   5. 12345                       6. 123456789                     7. football                          8. 1234

   9. 1234567                 10. baseball                        11. welcome                     12. 1234567890

  13. abc123                   14. 111111                         15. 1qaz2wsx                   16. dragon

  17. master                   18. monkey                         19. letmein                       20. login

  21. princess                 22. qwertyuiop                    23. solo                             24. passw0rd

  25. starwars

Why don’t we learn?

As our lives continue moving rapidly to digital and mobile, we are constantly being asked to create accounts and strong passwords. It’s more than the average person can handle, with many people managing over 50 different accounts across the Internet.

Since it is near impossible to remember 50 unique, secure passwords, many people resort to having one or two strong passwords, and one or two go-to passwords which they use for accounts that they somehow deem less vulnerable or less important (e.g. online newspaper subscriptions, online work platform logins). Those who don’t have go-to passwords evidently all have similar ideas when creating passwords, as simple passcodes created from different keyboard variations dominate the list of worst passwords. In this case, great minds should not think alike.

Another issue is that password strength indicators may be leading users astray. If you are anything like me, you slightly adjust a go-to password until the strength indicator registers “strong!” However, strength indicators are based mainly on length of password and character variations (upper and lower case letters, numbers and special characters). The indicators do not account for using “0” instead of “o,” or “$” in place of “s,” but any hacker would try those variations. Additionally, the standards for these password strength-indicators are skewed; a password could be recognized as “strong” on one website and “weak” on another. Adding a few extra numbers or symbols to a weak password doesn’t make it much stronger, either (e.g. “qwertyuiop” is not much better than “qwerty”).

It is particularly concerning that many of the passwords on this list haven’t changed since SplashData’s first report in 2011. SplashData releases the list annually in hopes of encouraging Internet users to strengthen their passwords, and to remind them that they are at risk of compromising their private information if they continue to use weak or common passwords.

Among your resolutions for this year, add the ongoing resolution to create more secure passwords. You can easily craft strong passwords and safely store them using a password manager like Blur. This helps you to protect your privacy online, whether you’re reviewing bank information or reading a news article.

Make 2016 the year that you proactively protect your identity.




2 comments shared on this article:

Leave a Reply

Your email address will not be published.

Comment