Password Fail: Are Your Workers Using 123456?

The 25 worst passwords of 2014 demonstrate once again that people just can't be bothered to take responsibility for their online security.

Thomas Claburn, Editor at Large, Enterprise Mobility

January 20, 2015

3 Min Read

Google Project Ara: 8 Dev Conference Images

Google Project Ara: 8 Dev Conference Images

Google Project Ara: 8 Dev Conference Images (Click image for larger view and slideshow.)

The worst password of 2014 is again "123456," proving that those who cannot remember history are doomed to repeat it -- and to risk being hacked.

How many of your workers are using lame passwords? The annual list of the 25 worst passwords, compiled by SplashData, a Los Gatos, Calif.-based company that provides password management software, is a good excuse for IT teams everywhere to conduct a password audit and provide some basic security training.

For the past four years, SplashData has examined password data made public through security breaches. The 2014 password list was derived from 3.3 million leaked passwords associated with North American and European user accounts.

Every year since 2011, "123456" has topped the list, demonstrating that people just can't be bothered to take responsibility for their online security.

This is evident from a June 2014 article in Canada's Winnipeg Sun that describes how two 14-year-olds hacked a Bank of Montreal ATM, putting it into operator mode "when their first random guess at the six-digit password worked."

Though the article does not specify what this "common default password" was -- you wouldn't want that critical information to become public, you know -- "123456" would be the random six-digit number you'd want to start with, based on historical data.

[ Are burned-out workers to blame for security lapses? Read Burned-Out Workers Are Dangerous. ]

"Passwords based on simple patterns on your keyboard remain popular despite how weak they are," said Morgan Slain, CEO of SplashData, in a statement. "Any password using numbers alone should be avoided, especially sequences."

Among the top 10 most commonly seen passwords, the third, fourth, sixth, and seventh most popular choices (12345, 12345678, 123456789, and 1234, respectively) were all sequences of digits.

If only stating the obvious were enough. The problem is not just that simple numeric sequences need to be avoided. Simple words are bad too. Consider the fact that the second most common password being used (and the second least secure) is still "password," as it has been for the past four years.

Other text-oriented entries in the top 10 were: "qwerty" (5), "baseball" (8), "dragon" (9), and "football" (10).

If that tempts you to lay your head on your keyboard in despair, there is some cause for optimism. According to Mark Burnett, an online security researcher who worked with SplashData, Internet users are moving away from using the 25 most commonly seen passwords. In 2014, about 2.2% of exposed passwords came from the top 25, a lower percentage than previous studies.

In October 2014, the United Kingdom's Home Office found that 75% of Britons don't follow best practices for creating strong passwords. It's more or less the same all over. The reason is largely that strong passwords are hard to remember, particularly for those who regularly access dozens of websites. Ideally, every website should have a different password. Reality is far from ideal, however, and password reuse is common.

If there's an answer to the frailty of human memory, it's to employ a password management app or at least to come up with a mnemonic system that allows you create varied passwords that can each be recalled easily. In addition, using two-factor authentication is generally worthwhile when it's an option.

Does your resiliency plan take into account both natural disasters and man-made mayhem? If the CISO hasn't signed off, assume the answer is no. Get the Disaster Recovery In The APT Age Tech Digest from Dark Reading today. (Free registration required.)

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights