The most common password of 2016 was ‘123456,’ according to password management firm Keeper Security. Almost 17 percent of web users rely on the unimaginative phrase to keep their data secure. Keeper assessed the top 25 passwords found in data from Have I Been Pwned, Leaked Source, Randomize and Tripwire.
Second on the list was the equally uninspired ‘123456789,’ followed by ‘qwerty,’ ‘1245678’ and ‘111111.’ The entirety of the keyboard’s top row, ‘1234567890,’ makes it into sixth place, followed by ‘1234567’ and ‘password.’ At eighth place, ‘password’ is now slipping down the ranks of the world’s worst passwords. People are using strings of digits instead in a vain attempt to keep their accounts secure.
Beyond tenth place, things get little better. It does become less predictable though, with phrases including ‘mynoob’ making it onto the list. Somewhat incongruously, there’s also ’18atcsdk2w,’ a seemingly random password that isn’t too insecure. Itself confounded by this entry, Password Keeper consulted security researcher Graham Cluey to explain its presence.
According to Cluey, the password is probably being used by automated bots trying to spam online forums. Rather than be a sign that people are moving in the right direction with their passwords, it’s actually an indication that bot fraud is on the rise.
With the top 10 still dominated by the keyboard’s top row, there’s a clear need for more education on what makes a good password. Keeper called for website operators to do more to force people to create strong phrases. Even after years of major data breaches, companies are still happy for people to use ‘123456’ and ‘password.’
Using a weak password makes your accounts more susceptible to attack. Trivial phrases can easily be guessed while strings of letters and numbers can be brute forced in seconds using automated procedures. Keeper suggested using a password manager utility to automatically generate random passwords. These can then be stored in the program and accessed as required, eliminating the need to remember long phrases.
According to Keeper, it would take over 4.83^83 years to brute-force a randomly-generated 51-character string containing letters, numbers and symbols. Although you’re unlikely to want to type it in often, you won’t need to if you’re using a password manager and it could keep your account safe in the event of a cyberattack.
