Worst Passwords Of 2015 Reveal Our Stupidity - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Devices
05:06 PM
Connect Directly

Worst Passwords Of 2015 Reveal Our Stupidity

This year's list is an indication that the sooner we get rid of password-based authentication, the better.

8 Ways Cloud Storage Delivers Business Value
8 Ways Cloud Storage Delivers Business Value
(Click image for larger view and slideshow.)

Proving that computer security can't compete with user indifference, the worst password of 2015 is "123456," as it has been since at least 2011. "Childrens do learn," as George W. Bush once said, but Internet users make the same mistakes over and over and over.

On Wednesday, SplashData, a maker of password management software, released its list of the worst passwords last year in part to underscore the utility of its wares, which include password managers. Use of such software is something recommended not just by vendors but also by security professionals without such an obvious vested interest in moving merchandise.

However, password management software may bring another set of risks, as the compromise of LastPass last year revealed. But given the disastrously obvious passwords chosen by the Internet users who are represented in this data sample, it's doubtful that employing a password manager and accepting its recommendations for strong passwords could be any worse.

(Image: SplashData)

(Image: SplashData)

According to SplashData CEO Morgan Slain, the 2015 report is based on more than two million passwords revealed through searches of public plain text data dumps. "The goal of the annual report is to encourage people to make stronger passwords," he explains in an online post, noting that people should also avoid reusing passwords.

Left to handle the task of password construction unaided, too many Internet users revisit bad passwords from the past, like "password." Or they try to innovate and fall short. This year, thanks to the popularity of Star Wars: The Force Awakens, new entries in the top 25 include "princess," "solo," and "starwars," none of which are nearly complicated enough to defend against a dictionary attack or an average nine-year-old.

Slain observes that people last year made an effort to create more secure passwords by adding more characters to their passwords. The problem is that many of these passwords are just extensions of obvious patterns. For example, the password "1234567890" appears at number 12 on the list for the first time, but it's not really any better than painfully obvious variants like "123456" or "12345."

There is some good news, however. According to SplashData spokesman Kevin Doel, only about 3% of the individuals represented in the data sample were using these top 25 worst passwords. That's down from 4% in recent surveys, and down from even higher figures cited by other researchers, Doel told InformationWeek in an email.

The top 25 worst passwords of 2015, according to SplashData, are as follows:

Rank Password Change from 2014
1 123456 Unchanged
2 password Unchanged
3 12345678 Up 1
4 qwerty Up 1
5 12345 Down 2
6 123456789 Unchanged
7 football Up 3
8 1234 Down 1
9 1234567 Up 2
10 baseball Down 2
11 welcome New
12 1234567890 New
13 abc123 Up 1
14 111111 Up 1
15 1qaz2wsx New
16 dragon Down 7
17 master Up 2
18 monkey Down 6
19 letmein Down 6
20 login New
21 princess New
22 qwertyuiop New
23 solo New
24 passw0rd New
25 starwars New

Though SplashData began publishing its list in 2011, many of these bad passwords date back further still. A review of Hotmail passwords exposed in a breach back in 2009 also identified "123456" as the most popular password in that data set.

We may have a few more years of Groundhog Day-style déjà vu, but there is reason to believe we will break out of the bad password loop eventually. At the RSA Security conference in 2004, Microsoft chairman Bill Gates predicted that password-based authentication would decline over time. More than a decade later, there's actually some visible progress toward that future.

[See why Google says your password security questions are terrible.]

Fingerprint access sensors are now common in mobile phones like Apple's iPhone 6s and are showing up in laptops. Intel on Tuesday pitched its Core vPro processor line, which supports multifactor authentication. Tom Garrison, vice president and general manager of Intel's Business Client division, showed how the chipset allows users to login without a password by using a fingerprint and a second factor like a phone proximity check. Microsoft meanwhile is offering its Windows Hello biometric authentication platform to provide an alternative to passwords. Google has been testing a way to login using an email address and a smartphone notification, rather than with a password.

Passwords probably won't disappear entirely. Access based on knowledge, rather than physical characteristics, is just too convenient. It also provides a necessary fallback for people who can't use biometrics, like amputees or some people with other disabilities. But more and more, we will have alternatives to bad passwords, if we can be bothered to take online security seriously.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Author
1/21/2016 | 9:53:08 AM
Re: Amazing
Even Cisco typically uses a version of this and ran into trouble when it deviated. See http://www.theregister.co.uk/2016/01/12/cisco_password_snafu/?mt=1452646807203:

"A number of C-Series servers have shipped to customers with a non-standard default password which prevents access to the Cisco Integrated Management Controller (CIMC) unless the configured password is provided," the Borg says in a new Field Notice.

Kit made between between November 17, 2015 and January 6, 2016 was misconfigured. If you get one and try to get it working with Cisco's default admin password – "password" – you'll look like a very silly sysadmin indeed.

The fault is all Cisco's: for reasons it's not explaining, the firm instead set the default password to "Cisco1234".
User Rank: Author
1/22/2016 | 10:05:36 AM
Re: Stupidity of the rules
@Banceck I absolutely loath having such strict guidelines for passwords. That's the kind of thing that gave rise to this, which exists in several forms.

I also get annoyed by having to change mine every 30 days or whatever on certain sites. I understand why they think it's more security, but these are sites that don't deal with sensitive information. 
User Rank: Author
1/22/2016 | 1:42:51 PM
Re: Stupidity of the rules
@Michelle oh, yes, and I sometimes don't remember which ones are case sensitive and which ones demanded a capital and special character. So I often come close to locking myelf out as I try out variations and then ask for a password reset via email.
User Rank: Author
1/22/2016 | 6:47:19 PM
Re: Stupidity of the rules


Ariella LOL that happens to me all the time. This list is representative of the insanity of passwords. Why there isn't a standard password requirement for all industries is beyond me. Every company having their own requirements makes the life of consumers miserable we are constantly playing password hide and seek. Companies then increase their operating costs to support the password chaos. No one wins.

InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll