Worst Passwords Of 2015 Reveal Our Stupidity

This year's list is an indication that the sooner we get rid of password-based authentication, the better.
8 Ways Cloud Storage Delivers Business Value
8 Ways Cloud Storage Delivers Business Value
(Click image for larger view and slideshow.)

Proving that computer security can't compete with user indifference, the worst password of 2015 is "123456," as it has been since at least 2011. "Childrens do learn," as George W. Bush once said, but Internet users make the same mistakes over and over and over.

On Wednesday, SplashData, a maker of password management software, released its list of the worst passwords last year in part to underscore the utility of its wares, which include password managers. Use of such software is something recommended not just by vendors but also by security professionals without such an obvious vested interest in moving merchandise.

However, password management software may bring another set of risks, as the compromise of LastPass last year revealed. But given the disastrously obvious passwords chosen by the Internet users who are represented in this data sample, it's doubtful that employing a password manager and accepting its recommendations for strong passwords could be any worse.

According to SplashData CEO Morgan Slain, the 2015 report is based on more than two million passwords revealed through searches of public plain text data dumps. "The goal of the annual report is to encourage people to make stronger passwords," he explains in an online post, noting that people should also avoid reusing passwords.

Left to handle the task of password construction unaided, too many Internet users revisit bad passwords from the past, like "password." Or they try to innovate and fall short. This year, thanks to the popularity of Star Wars: The Force Awakens, new entries in the top 25 include "princess," "solo," and "starwars," none of which are nearly complicated enough to defend against a dictionary attack or an average nine-year-old.

Slain observes that people last year made an effort to create more secure passwords by adding more characters to their passwords. The problem is that many of these passwords are just extensions of obvious patterns. For example, the password "1234567890" appears at number 12 on the list for the first time, but it's not really any better than painfully obvious variants like "123456" or "12345."

There is some good news, however. According to SplashData spokesman Kevin Doel, only about 3% of the individuals represented in the data sample were using these top 25 worst passwords. That's down from 4% in recent surveys, and down from even higher figures cited by other researchers, Doel told InformationWeek in an email.

The top 25 worst passwords of 2015, according to SplashData, are as follows:

Rank Password Change from 2014
1 123456 Unchanged
2 password Unchanged
3 12345678 Up 1
4 qwerty Up 1
5 12345 Down 2
6 123456789 Unchanged
7 football Up 3
8 1234 Down 1
9 1234567 Up 2
10 baseball Down 2
11 welcome New
12 1234567890 New
13 abc123 Up 1
14 111111 Up 1
15 1qaz2wsx New
16 dragon Down 7
17 master Up 2
18 monkey Down 6
19 letmein Down 6
20 login New
21 princess New
22 qwertyuiop New
23 solo New
24 passw0rd New
25 starwars New

Though SplashData began publishing its list in 2011, many of these bad passwords date back further still. A review of Hotmail passwords exposed in a breach back in 2009 also identified "123456" as the most popular password in that data set.

We may have a few more years of Groundhog Day-style déjà vu, but there is reason to believe we will break out of the bad password loop eventually. At the RSA Security conference in 2004, Microsoft chairman Bill Gates predicted that password-based authentication would decline over time. More than a decade later, there's actually some visible progress toward that future.

[See why Google says your password security questions are terrible.]

Fingerprint access sensors are now common in mobile phones like Apple's iPhone 6s and are showing up in laptops. Intel on Tuesday pitched its Core vPro processor line, which supports multifactor authentication. Tom Garrison, vice president and general manager of Intel's Business Client division, showed how the chipset allows users to login without a password by using a fingerprint and a second factor like a phone proximity check. Microsoft meanwhile is offering its Windows Hello biometric authentication platform to provide an alternative to passwords. Google has been testing a way to login using an email address and a smartphone notification, rather than with a password.

Passwords probably won't disappear entirely. Access based on knowledge, rather than physical characteristics, is just too convenient. It also provides a necessary fallback for people who can't use biometrics, like amputees or some people with other disabilities. But more and more, we will have alternatives to bad passwords, if we can be bothered to take online security seriously.

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
John Edwards, Technology Journalist & Author
John Edwards, Technology Journalist & Author
James M. Connolly, Contributing Editor and Writer