According to the fifth annual report by SplashData, the average person hasn’t changed their tune when creating passwords, and most of us certainly haven’t learned since last year. The report listed the Top 25 Worst Passwords of 2015, compiled from a list of over 2 million leaked passwords from 2015.
The top two worst passwords of 2015–“123456” and “password”–remain unchanged from 2014. They are followed by simple combinations from the standard keyboard and common words or phrases, especially words relevant to 2015 (think Star Wars).
Here is the full list of SplashData’s 25 Worst Passwords of 2015.
1. 123456 2. password 3. 12345678 4. qwerty
5. 12345 6. 123456789 7. football 8. 1234
9. 1234567 10. baseball 11. welcome 12. 1234567890
13. abc123 14. 111111 15. 1qaz2wsx 16. dragon
17. master 18. monkey 19. letmein 20. login
21. princess 22. qwertyuiop 23. solo 24. passw0rd
Why don’t we learn?
As our lives continue moving rapidly to digital and mobile, we are constantly being asked to create accounts and strong passwords. It’s more than the average person can handle, with many people managing over 50 different accounts across the Internet.
Since it is near impossible to remember 50 unique, secure passwords, many people resort to having one or two strong passwords, and one or two go-to passwords which they use for accounts that they somehow deem less vulnerable or less important (e.g. online newspaper subscriptions, online work platform logins). Those who don’t have go-to passwords evidently all have similar ideas when creating passwords, as simple passcodes created from different keyboard variations dominate the list of worst passwords. In this case, great minds should not think alike.
Another issue is that password strength indicators may be leading users astray. If you are anything like me, you slightly adjust a go-to password until the strength indicator registers “strong!” However, strength indicators are based mainly on length of password and character variations (upper and lower case letters, numbers and special characters). The indicators do not account for using “0” instead of “o,” or “$” in place of “s,” but any hacker would try those variations. Additionally, the standards for these password strength-indicators are skewed; a password could be recognized as “strong” on one website and “weak” on another. Adding a few extra numbers or symbols to a weak password doesn’t make it much stronger, either (e.g. “qwertyuiop” is not much better than “qwerty”).
It is particularly concerning that many of the passwords on this list haven’t changed since SplashData’s first report in 2011. SplashData releases the list annually in hopes of encouraging Internet users to strengthen their passwords, and to remind them that they are at risk of compromising their private information if they continue to use weak or common passwords.
Among your resolutions for this year, add the ongoing resolution to create more secure passwords. You can easily craft strong passwords and safely store them using a password manager like Blur. This helps you to protect your privacy online, whether you’re reviewing bank information or reading a news article.
Make 2016 the year that you proactively protect your identity.