'Password' No Longer Worst Password - InformationWeek
Mobile // Mobile Devices
04:06 PM
Connect Directly

'Password' No Longer Worst Password

The security firm SplashData publishes its list of the 25 worst passwords of 2013.

10 Top Password Managers
10 Top Password Managers
(Click image for slideshow.)

Thanks to the Adobe security breach last year, which exposed the IDs and encrypted passwords for 38 million Adobe.com users, we now know that the most commonly used password on the Internet is "123456."

As such, SplashData, a computer security firm that makes password management apps, recognized "123456" as the "Worst Password of 2013." The company says its list of the 25 worst passwords is based on the frequency of passwords found online as a result of disclosures -- largely but not exclusively from the Adobe incident. The ease with which these passwords could be cracked using brute-force methods is not taken into account.

A two-time runner-up, "123456" has dethroned "password," a local favorite due to its jaw-dropping obviousness and its always amusing self-referential nature. It slipped only to No. 2 on the list and could regain the top spot if consumer disinterest in security continues this year, as it has for decades. Computer buyers have neglected security more or less since personal computers became popular in the 1980s.

[Want more password tips? Read Sweet Password Security Strategy: Honeywords.]

Coming in at No. 3 (unchanged from last year), we have "12345678." What's unclear is why more people give up after typing eight digits than bother persevering to "123456789" and "1234567890," which occupy the No. 6 and No. 13 spots, respectively. Inexplicably, "1234567" shows up at No. 8.

At No. 4, we find "qwerty," which, like "123456," consists of six characters of comparable obviousness -- someone figured having a password spelled out on the keyboard would make a convenient mnemonic. Why six characters? Perhaps in the vain hope of keeping out hackers who give up after exhausting their default configuration of five fingers. Another dismal password, "111111" (No. 7 on the list), also sports six characters.

The No. 5 password, "abc123," shows computer users mixing up letters and numbers. It's the start of a workable computer security strategy, though that's not enough to keep the password from being awful and obvious.

At No. 9, there's the unexpected but still insecure "iloveyou." Adorable though it might be, it suggests two people sharing a user account, which isn't really an advisable security practice. Alternately, it hints at someone with a misplaced affinity for technology who really should get out more.

At No. 10 is "adobe123," ahead of "photoshop," at No. 15. Neither entry comes close to being secure -- doubly so as passwords on Adobe.com.

This year will mark the 10th anniversary of the Bill Gates prediction "Over time, people are going to rely less and less on passwords." Finally, after a decade, the needle is starting to move. We're beginning to see ways to enhance the weak security offered by passwords. Google and Twitter are using two-factor authentication. Facebook offers something similar with its Login Approvals. And Apple has introduced the Touch ID biometric authentication system with its iPhone 5S.

Even so, expect another such list at the end of 2014. Bad passwords will remain an issue for years to come.

Thomas Claburn is editor-at-large for InformationWeek. He has been writing about business and technology since 1996 for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. He's the author of a science fiction novel, Reflecting Fires, and his mobile game Blocfall Free is available for iOS, Android, and Kindle Fire.

InformationWeek Conference is an exclusive two-day event taking place at Interop where you will join fellow technology leaders and CIOs for a packed schedule with learning, information sharing, professional networking, and celebration. Come learn from each other and honor the nation's leading digital businesses at our InformationWeek Elite 100 Awards Ceremony and Gala. You can find out more information and register here. In Las Vegas, March 31 to April 1, 2014.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Author
1/22/2014 | 9:15:39 AM
How many passwords?
I have 26 work-related passwords -- some used daily, some used quarterly or less often -- written down on a sheet of paper I keep in my desk. How many passwords do you have to remember to do your job? 
User Rank: Author
1/22/2014 | 8:53:58 AM
Re: Password
The problem for users, of course, is remembering their myriad complex passwords. Enter password managers. We offered a nice roundup here: http://www.informationweek.com/security/risk-management/10-top-password-managers/d/d-id/1109759?
IW Pick
User Rank: Ninja
1/22/2014 | 8:45:02 AM
Re: So many password requirements
What we'll see next year is that the most popular password will be 123456A!

When you make password rules too complex people get frustrated and go with the path of least resistance.  There are a few sites that I use who have crazy password requirements and I use them very infrequently.  It seems like I have to send a password reset request every 3-6 months when I need to use the site for something because I can't remember where I put the capital letter, which symbol I used and where the number goes.
Kristin Burnham
Kristin Burnham,
User Rank: Author
1/21/2014 | 8:16:53 PM
So many password requirements
Most of the websites I visit require a capital letter, a number and a symbol in the password. It's annoying and tedious, but that's also probably why I have yet to be hacked.
User Rank: Apprentice
1/21/2014 | 6:08:48 PM
Why bother?
When the NSA already has everything it needs. Let's not forget that what the NSA doesn't have, some Russian teenage hacker will get the rest (i.e. Target). Privacy and security is an illusion in the digital age.

Lorna Garey
Lorna Garey,
User Rank: Author
1/21/2014 | 6:06:41 PM
Honestly, at some point, if you're that dumb and/or lazy, you deserve to be hacked. That goes for enterprises that don't set standards to keep people from using "password" or "12345678."
User Rank: Ninja
1/21/2014 | 5:57:22 PM
Password should be banned on all systems to use as a password. I tell people to get a little creative. Use numbers or symbols as letters. ex pa$$w0rd. Atleast its different.
User Rank: Apprentice
1/21/2014 | 4:39:28 PM
Re: Why people stop at "8"
Lock people out after three failed tries.
User Rank: Apprentice
1/21/2014 | 4:38:52 PM
That's the same combination I have on my luggage....
User Rank: Apprentice
1/21/2014 | 4:36:21 PM
Why people stop at "8"
In your article, you are baffled by why people stop at "12345678" and do not add the 9.  This is because a lot of sites declare that you must have 8 characters in your password.  Therefore, 12345678 meets this requirement, and 123456789 would cause you to waste time typing 9.  
<<   <   Page 2 / 2
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll