Mobile // Mobile Devices
News
1/21/2014
04:06 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

'Password' No Longer Worst Password

The security firm SplashData publishes its list of the 25 worst passwords of 2013.

10 Top Password Managers
10 Top Password Managers
(Click image for slideshow.)

Thanks to the Adobe security breach last year, which exposed the IDs and encrypted passwords for 38 million Adobe.com users, we now know that the most commonly used password on the Internet is "123456."

As such, SplashData, a computer security firm that makes password management apps, recognized "123456" as the "Worst Password of 2013." The company says its list of the 25 worst passwords is based on the frequency of passwords found online as a result of disclosures -- largely but not exclusively from the Adobe incident. The ease with which these passwords could be cracked using brute-force methods is not taken into account.

A two-time runner-up, "123456" has dethroned "password," a local favorite due to its jaw-dropping obviousness and its always amusing self-referential nature. It slipped only to No. 2 on the list and could regain the top spot if consumer disinterest in security continues this year, as it has for decades. Computer buyers have neglected security more or less since personal computers became popular in the 1980s.

[Want more password tips? Read Sweet Password Security Strategy: Honeywords.]

Coming in at No. 3 (unchanged from last year), we have "12345678." What's unclear is why more people give up after typing eight digits than bother persevering to "123456789" and "1234567890," which occupy the No. 6 and No. 13 spots, respectively. Inexplicably, "1234567" shows up at No. 8.

At No. 4, we find "qwerty," which, like "123456," consists of six characters of comparable obviousness -- someone figured having a password spelled out on the keyboard would make a convenient mnemonic. Why six characters? Perhaps in the vain hope of keeping out hackers who give up after exhausting their default configuration of five fingers. Another dismal password, "111111" (No. 7 on the list), also sports six characters.

The No. 5 password, "abc123," shows computer users mixing up letters and numbers. It's the start of a workable computer security strategy, though that's not enough to keep the password from being awful and obvious.

At No. 9, there's the unexpected but still insecure "iloveyou." Adorable though it might be, it suggests two people sharing a user account, which isn't really an advisable security practice. Alternately, it hints at someone with a misplaced affinity for technology who really should get out more.

At No. 10 is "adobe123," ahead of "photoshop," at No. 15. Neither entry comes close to being secure -- doubly so as passwords on Adobe.com.

This year will mark the 10th anniversary of the Bill Gates prediction "Over time, people are going to rely less and less on passwords." Finally, after a decade, the needle is starting to move. We're beginning to see ways to enhance the weak security offered by passwords. Google and Twitter are using two-factor authentication. Facebook offers something similar with its Login Approvals. And Apple has introduced the Touch ID biometric authentication system with its iPhone 5S.

Even so, expect another such list at the end of 2014. Bad passwords will remain an issue for years to come.

Thomas Claburn is editor-at-large for InformationWeek. He has been writing about business and technology since 1996 for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. He's the author of a science fiction novel, Reflecting Fires, and his mobile game Blocfall Free is available for iOS, Android, and Kindle Fire.

InformationWeek Conference is an exclusive two-day event taking place at Interop where you will join fellow technology leaders and CIOs for a packed schedule with learning, information sharing, professional networking, and celebration. Come learn from each other and honor the nation's leading digital businesses at our InformationWeek Elite 100 Awards Ceremony and Gala. You can find out more information and register here. In Las Vegas, March 31 to April 1, 2014.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
gasdetectors
50%
50%
gasdetectors,
User Rank: Apprentice
1/27/2014 | 10:21:15 AM
Re: How many passwords?
Quickly changes password from 123456 to something more apt (joking)
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Author
1/23/2014 | 8:53:52 PM
Re: How many passwords?
Twenty-six passwords? Yikes. Don't lose that piece of paper!
WKash
50%
50%
WKash,
User Rank: Author
1/22/2014 | 6:31:01 PM
Re: How many passwords?
We use so many cloud and network based systems now, the number of passwords just for work has grown to nearly two dozen.  Add the accounts I use for managing my families personal affairs and devices ("What password did I settle on for the XBox?"), plus media sites for research, social sites, etc, and the number is literally close to 100 sites that have passwords.  I need a spreadsheet (encrypted, but probably not unhackable) to keep track of it all. Can't wait till Bill Gates prediction comes true.
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/22/2014 | 2:02:57 PM
Re: Is it time for IT to mandate password managers?
Sounds like I just need a better class of user if you know some that can remember 12. My users just can't even keep up with this one AD password, which automatically syncs with their Lotus Notes account. :-) So the current system is most of them have it written down on their desk somewhere, which is at least effective to keep remote hackers out. And keeping me and my admin resetting passwords frequently.

To make things worse, Corp has recently started a new policy of locking the AD account if you guess wrong 5 times. That's just inspired real joy in the user community. They screwed something up on that policy last week and managed to lock out everyone across globe who even tried to sign on with correct password. The next IT satisfaction survey won't be pretty.  :-)
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
1/22/2014 | 1:52:51 PM
Re: Is it time for IT to mandate password managers?
These systems aren't perfect and won't cover every eventuality, but there are a number of them to choose from. Think about it: If you take a user from having to remember 12 complex passwords to having to remember three or four (the pw manager and noncompatible systems) that's a huge improvement. Plus, some offer niceties like two-factor authentication.

 
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/22/2014 | 1:47:47 PM
Re: Is it time for IT to mandate password managers?
Ah, I got you.

I obviously know nothing about this kind of software but seems like it would have to integrate with a lot of stuff to work without an admin, which I was jokingly hinting at. For example, our Active Directory password has to change every 90 days. It would have to capture that to be effective. And remember what previous password(s) were because sometimes users have an old password cached locally on PC because they haven't signed on to domain in awhile. This is particular problem with outside sales guys and people who borrow loaner laptop/tablet for travel when they have desktops.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
1/22/2014 | 1:40:04 PM
Re: Is it time for IT to mandate password managers?
No, I mean password manager systems like LastPass. We rounded up 10 systems here.

It's a technology problem. Why not use technology to solve it?
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/22/2014 | 1:24:44 PM
Re: Is it time for IT to mandate password managers?
Paying them? :-)  Or is that minimum wage job?

I joke but can you imagine the integrity you better have in this person?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
1/22/2014 | 9:54:28 AM
Another way
Check out an idea from cartoonist John Klossner. It might not totally solve your problem, but I guarantee it will put a smile on your face. Cartoon: Forgot Password? Click here.  (Paste url into your browser) 
http://www.informationweek.com/security/identity-and-access-management/cartoon-forgot-password-click-here/d/d-id/1113421?

 :-)
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
1/22/2014 | 9:39:08 AM
Is it time for IT to mandate password managers?
An officially sanctioned password manager, with training, may be the answer here. Given BYOD and that SSO seems to be a pipe dream, IT has to try something. What's the downside of rolling out a password manager?
Page 1 / 2   >   >>
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.