IoT
IoT
Mobile // Mobile Devices
News
1/20/2016
05:06 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Worst Passwords Of 2015 Reveal Our Stupidity

This year's list is an indication that the sooner we get rid of password-based authentication, the better.

8 Ways Cloud Storage Delivers Business Value
8 Ways Cloud Storage Delivers Business Value
(Click image for larger view and slideshow.)

Proving that computer security can't compete with user indifference, the worst password of 2015 is "123456," as it has been since at least 2011. "Childrens do learn," as George W. Bush once said, but Internet users make the same mistakes over and over and over.

On Wednesday, SplashData, a maker of password management software, released its list of the worst passwords last year in part to underscore the utility of its wares, which include password managers. Use of such software is something recommended not just by vendors but also by security professionals without such an obvious vested interest in moving merchandise.

However, password management software may bring another set of risks, as the compromise of LastPass last year revealed. But given the disastrously obvious passwords chosen by the Internet users who are represented in this data sample, it's doubtful that employing a password manager and accepting its recommendations for strong passwords could be any worse.

(Image: SplashData)

(Image: SplashData)

According to SplashData CEO Morgan Slain, the 2015 report is based on more than two million passwords revealed through searches of public plain text data dumps. "The goal of the annual report is to encourage people to make stronger passwords," he explains in an online post, noting that people should also avoid reusing passwords.

Left to handle the task of password construction unaided, too many Internet users revisit bad passwords from the past, like "password." Or they try to innovate and fall short. This year, thanks to the popularity of Star Wars: The Force Awakens, new entries in the top 25 include "princess," "solo," and "starwars," none of which are nearly complicated enough to defend against a dictionary attack or an average nine-year-old.

Slain observes that people last year made an effort to create more secure passwords by adding more characters to their passwords. The problem is that many of these passwords are just extensions of obvious patterns. For example, the password "1234567890" appears at number 12 on the list for the first time, but it's not really any better than painfully obvious variants like "123456" or "12345."

There is some good news, however. According to SplashData spokesman Kevin Doel, only about 3% of the individuals represented in the data sample were using these top 25 worst passwords. That's down from 4% in recent surveys, and down from even higher figures cited by other researchers, Doel told InformationWeek in an email.

The top 25 worst passwords of 2015, according to SplashData, are as follows:

Rank Password Change from 2014
1 123456 Unchanged
2 password Unchanged
3 12345678 Up 1
4 qwerty Up 1
5 12345 Down 2
6 123456789 Unchanged
7 football Up 3
8 1234 Down 1
9 1234567 Up 2
10 baseball Down 2
11 welcome New
12 1234567890 New
13 abc123 Up 1
14 111111 Up 1
15 1qaz2wsx New
16 dragon Down 7
17 master Up 2
18 monkey Down 6
19 letmein Down 6
20 login New
21 princess New
22 qwertyuiop New
23 solo New
24 passw0rd New
25 starwars New

Though SplashData began publishing its list in 2011, many of these bad passwords date back further still. A review of Hotmail passwords exposed in a breach back in 2009 also identified "123456" as the most popular password in that data set.

We may have a few more years of Groundhog Day-style déjà vu, but there is reason to believe we will break out of the bad password loop eventually. At the RSA Security conference in 2004, Microsoft chairman Bill Gates predicted that password-based authentication would decline over time. More than a decade later, there's actually some visible progress toward that future.

[See why Google says your password security questions are terrible.]

Fingerprint access sensors are now common in mobile phones like Apple's iPhone 6s and are showing up in laptops. Intel on Tuesday pitched its Core vPro processor line, which supports multifactor authentication. Tom Garrison, vice president and general manager of Intel's Business Client division, showed how the chipset allows users to login without a password by using a fingerprint and a second factor like a phone proximity check. Microsoft meanwhile is offering its Windows Hello biometric authentication platform to provide an alternative to passwords. Google has been testing a way to login using an email address and a smartphone notification, rather than with a password.

Passwords probably won't disappear entirely. Access based on knowledge, rather than physical characteristics, is just too convenient. It also provides a necessary fallback for people who can't use biometrics, like amputees or some people with other disabilities. But more and more, we will have alternatives to bad passwords, if we can be bothered to take online security seriously.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Michelle
50%
50%
Michelle,
User Rank: Ninja
1/31/2016 | 9:54:13 PM
Re: Stupidity of the rules
@Impactnow I have stopped trying more than once to guess my passwords. Resetting is just what I do now...
impactnow
50%
50%
impactnow,
User Rank: Ninja
1/22/2016 | 6:47:19 PM
Re: Stupidity of the rules

 

Ariella LOL that happens to me all the time. This list is representative of the insanity of passwords. Why there isn't a standard password requirement for all industries is beyond me. Every company having their own requirements makes the life of consumers miserable we are constantly playing password hide and seek. Companies then increase their operating costs to support the password chaos. No one wins.

Ariella
50%
50%
Ariella,
User Rank: Author
1/22/2016 | 1:42:51 PM
Re: Stupidity of the rules
@Michelle oh, yes, and I sometimes don't remember which ones are case sensitive and which ones demanded a capital and special character. So I often come close to locking myelf out as I try out variations and then ask for a password reset via email.
Michelle
50%
50%
Michelle,
User Rank: Ninja
1/22/2016 | 1:40:15 PM
Re: Stupidity of the rules
I feel like I'm constantly changing passwords because I can't remember which critera were required to make the password in the first place. There are soooo many sites that require complex passwords where the information is far from sensitive. It's maddening.
Ariella
50%
50%
Ariella,
User Rank: Author
1/22/2016 | 10:05:36 AM
Re: Stupidity of the rules
@Banceck I absolutely loath having such strict guidelines for passwords. That's the kind of thing that gave rise to this, which exists in several forms.

I also get annoyed by having to change mine every 30 days or whatever on certain sites. I understand why they think it's more security, but these are sites that don't deal with sensitive information. 
vnewman2
50%
50%
vnewman2,
User Rank: Ninja
1/21/2016 | 7:32:39 PM
Re: Stupidity of the rules
@Banacek - exactly!  You have to write them down or log them into some online database somewhere which totally defeats the purpose.  So now, I just keep trying my usual passwords until I get locked out, then just reset the darn thing.
jastroff
50%
50%
jastroff,
User Rank: Ninja
1/21/2016 | 5:56:57 PM
Re: Stupidity of the rules
Im glad to see my password isn't there -- 654321

 

works every time!
TerryB
100%
0%
TerryB,
User Rank: Ninja
1/21/2016 | 12:59:37 PM
Re: Stupidity of the rules
Amen @banacek. I just read my credit union the riot act for changing it's online banking password rules to force a change every 90 days even though they have a two factor system!

It's getting to the point it's just not worth it anymore, going to the bank to move money from savings to checking and having them email my statement monthly was not that bad. But they require you to have an online account. It's obvious that them saving money comes first (fraud liability, less banks/people, self serve vs they serve) with them and customer preferences last.
Banacek
50%
50%
Banacek,
User Rank: Ninja
1/21/2016 | 11:32:21 AM
Re: Stupidity of the rules
BTW, this list also points out something else. A bad password isn't just one that is 'simple' or 'easy'. IHatePa$$w0rdsAndWillF0rever! would probably be determined by online checks to be a 'great' password. But if everyone uses it, um, not so much. So uniqueness has to part of the ploy. It never comes up because if passwords are private, how would anyone know if they're unique. Except we know they're not private anymore.

And what about web sites that limit your special character selection? What's up with that? I can't use a '$' or a '%' symbol? Well, I'm not lazy, the programmer is! But somehow it's my fault if my password isn't strong enough.

(And I used one web site that passed the 'no words allowed in the password' rule by literally disallowing the use of any vowel. That's right, your password couldn't contain a vowel!)
Banacek
50%
50%
Banacek,
User Rank: Ninja
1/21/2016 | 11:28:59 AM
Stupidity of the rules
Password 'security' is a farce in all aspects. They tell you that you should have complex passwords. They should be long and hard to guess, but somehow easy to remember. They should be different for every site and use you have. And they're supposed to change all the time. The government rules for software we wrote was something like "16 characters, 2 upper/lower/integer/special, cant' be reused, must be different than the last one significantly, must not contain words or anything that associates to you. And change it every 60 days."

Like, who is NOT writing down that password somewhere? MyR0bberBand9341$#. And once you write it down, there goes your security...
Page 1 / 2   >   >>
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of August 14, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.