This year's list is an indication that the sooner we get rid of password-based authentication, the better.

Thomas Claburn, Editor at Large, Enterprise Mobility

January 20, 2016

5 Min Read
<p style="text-align:left">(Image: SplashData)</p>

8 Ways Cloud Storage Delivers Business Value

8 Ways Cloud Storage Delivers Business Value


8 Ways Cloud Storage Delivers Business Value (Click image for larger view and slideshow.)

Proving that computer security can't compete with user indifference, the worst password of 2015 is "123456," as it has been since at least 2011. "Childrens do learn," as George W. Bush once said, but Internet users make the same mistakes over and over and over.

On Wednesday, SplashData, a maker of password management software, released its list of the worst passwords last year in part to underscore the utility of its wares, which include password managers. Use of such software is something recommended not just by vendors but also by security professionals without such an obvious vested interest in moving merchandise.

However, password management software may bring another set of risks, as the compromise of LastPass last year revealed. But given the disastrously obvious passwords chosen by the Internet users who are represented in this data sample, it's doubtful that employing a password manager and accepting its recommendations for strong passwords could be any worse.

According to SplashData CEO Morgan Slain, the 2015 report is based on more than two million passwords revealed through searches of public plain text data dumps. "The goal of the annual report is to encourage people to make stronger passwords," he explains in an online post, noting that people should also avoid reusing passwords.

Left to handle the task of password construction unaided, too many Internet users revisit bad passwords from the past, like "password." Or they try to innovate and fall short. This year, thanks to the popularity of Star Wars: The Force Awakens, new entries in the top 25 include "princess," "solo," and "starwars," none of which are nearly complicated enough to defend against a dictionary attack or an average nine-year-old.

Slain observes that people last year made an effort to create more secure passwords by adding more characters to their passwords. The problem is that many of these passwords are just extensions of obvious patterns. For example, the password "1234567890" appears at number 12 on the list for the first time, but it's not really any better than painfully obvious variants like "123456" or "12345."

There is some good news, however. According to SplashData spokesman Kevin Doel, only about 3% of the individuals represented in the data sample were using these top 25 worst passwords. That's down from 4% in recent surveys, and down from even higher figures cited by other researchers, Doel told InformationWeek in an email.

The top 25 worst passwords of 2015, according to SplashData, are as follows:

Rank

Password

Change from 2014

1

123456

Unchanged

2

password

Unchanged

3

12345678

Up 1

4

qwerty

Up 1

5

12345

Down 2

6

123456789

Unchanged

7

football

Up 3

8

1234

Down 1

9

1234567

Up 2

10

baseball

Down 2

11

welcome

New

12

1234567890

New

13

abc123

Up 1

14

111111

Up 1

15

1qaz2wsx

New

16

dragon

Down 7

17

master

Up 2

18

monkey

Down 6

19

letmein

Down 6

20

login

New

21

princess

New

22

qwertyuiop

New

23

solo

New

24

passw0rd

New

25

starwars

New

Though SplashData began publishing its list in 2011, many of these bad passwords date back further still. A review of Hotmail passwords exposed in a breach back in 2009 also identified "123456" as the most popular password in that data set.

We may have a few more years of Groundhog Day-style déjà vu, but there is reason to believe we will break out of the bad password loop eventually. At the RSA Security conference in 2004, Microsoft chairman Bill Gates predicted that password-based authentication would decline over time. More than a decade later, there's actually some visible progress toward that future.

[See why Google says your password security questions are terrible.]

Fingerprint access sensors are now common in mobile phones like Apple's iPhone 6s and are showing up in laptops. Intel on Tuesday pitched its Core vPro processor line, which supports multifactor authentication. Tom Garrison, vice president and general manager of Intel's Business Client division, showed how the chipset allows users to login without a password by using a fingerprint and a second factor like a phone proximity check. Microsoft meanwhile is offering its Windows Hello biometric authentication platform to provide an alternative to passwords. Google has been testing a way to login using an email address and a smartphone notification, rather than with a password.

Passwords probably won't disappear entirely. Access based on knowledge, rather than physical characteristics, is just too convenient. It also provides a necessary fallback for people who can't use biometrics, like amputees or some people with other disabilities. But more and more, we will have alternatives to bad passwords, if we can be bothered to take online security seriously.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights