For the second year in a row, "123456" remained the top password among the millions of cleartext passwords exposed online thanks to data breach incidents at various providers.
While having "123456" as your password is quite bad, the other terms found on a list of Top 100 Worst Passwords of 2017 are just as distressing and regretful.
Some of these include an extensive collection of sports terms (football, baseball, soccer, hockey, Lakers, jordan23, golfer, Rangers, Yankees), car brands (Mercedes, Corvette, Ferrari, Harley), and various expressions (iloveyou, letmein, whatever, blahblah).
But, by far, the list was dominated by names, with the likes of Robert (#31), Matthew (#32), Jordan (#33), Daniel (#35), Andrew (#36), Andrea (#38), Joshua (#40), George (#48), Nicole (#53), Hunter (#54), Chelsea (#62), Phoenix (#66), Amanda (#67), Ashley (#69), Jessica (#74), Jennifer (#76), Michelle (#81), William (#86), Maggie (#92), Charlie (#95), and Martin (#96), showing up on the list.
List compiled from five million leaked credentials
The list was put together by SplashData, a company that provides various password management utilities such as TeamsID and Gpass. The company said it compiled the list by analyzing over five million user records leaked online in 2017 and that also contained password information.
"Use of any of the passwords on this list would put users at grave risk for identity theft," said a SplashData spokesperson in a press release that accompanied a two-page PDF document containing a list of the most encountered passwords.
This is because attackers use these same leaked records to build similar lists of leaked passwords, which they then assemble as "dictionaries" for carrying out account brute-force attacks.
Attackers will use the leaked terms, but they'll also create common variations on these words using simple algorithms. This means that by adding "1" or any other character combinations at the start or end of basic terms, users aren't improving the security of their password.
Advising users on best password policies is a doctoral paper in its own right, but for the time being, users should look into using unique passwords per account, possibly employing a password manager, using more complex passwords, and above all, staying away from the terms below.
1 - 123456 (rank unchanged since 2016 list)
2 - password (unchanged)
3 - 12345678 (up 1)
4 - qwerty (Up 2)
5 - 12345 (Down 2)
6 - 123456789 (New)
7 - letmein (New)
8 - 1234567 (Unchanged)
9 - football (Down 4)
10 - iloveyou (New)
11 - admin (Up 4)
12 - welcome (Unchanged)
13 - monkey (New)
14 - login (Down 3)
15 - abc123 (Down 1)
16 - starwars (New)
17 - 123123 (New)
18 - dragon (Up 1)
19 - passw0rd (Down 1)
20 - master (Up 1)
21 - hello (New)
22 - freedom (New)
23 - whatever (New)
24 - qazwsx (New)
25 - trustno1 (New)
Comments
NickAu - 6 years ago
My password to everything 'incorrect.' That way when I forget it, it always reminds me, 'Your password is incorrect.
Angoid - 6 years ago
The other one is "top secret." That way, when someone asks you for your password, you can tell them that it's top secret.
I think this problem partly arises because people just can't be bothered to come up with good passwords or they just don't care about their online security.
JohnC_21 - 6 years ago
I think a very large number of these "123456" passwords are for junk accounts used along with junk email accounts or other accounts like forums a person only wants to login to a few times. Same reason practically everybody on the planet using a Web Forum has 1/1/XXXX for a birthday.
Occasional - 6 years ago
Good point John. Websites that would accept such weak PWs, probably would be better off not requiring one. They can use other means to control access/enrollment, limit robo-entries....
As CC points out: a best practices for PWs would be a long read - and it's a continuously evolving concern. Just too many passwords are required, to create and document ones that are of high quality and unique to each account.
So, use a PW manager? Only if you protect the master PW as you do the family jewels (it's the 'all your eggs in one basket', conundrum).
PW length being a well regarded advantage, I prefer pass-phrases, to passwords. Use unique and long ones for the important stuff, and throw away ones for accounts for which you wouldn't provide sensitive data, anyway.