SplashData releases its ‘worst passwords’ list once each year. It has evaluated the password strength of North American and Western European Internet users to work out the worst passwords regularly used in 2015.
Simple strings of numbers feature prominently in the list. Eight of the 25 entries are numbers such as “1234567” and “123456789”. “111111” gets into 14th place, just ahead of “1qaz2wsx” which may look secure for a couple of seconds until you realise it’s just going diagonally across the keyboard.
Several new entries have made it onto the list in the past year. In 20th place is “login,” followed by “princess” and the not-so imaginative “qwertyuiop.” References to topical film Star Wars have also appeared in the past 12 months with “solo” and “starwars” entering at 23rd and 25th respectively. The phrases are a clear indicator of how people use popular topics of discussion to pick their supposedly memorable and secure phrases.
The top five worst passwords now consists of “123456”, “password”, “12345678”, “qwerty” and “12345.” SplashData said the simple passwords are easy for attackers to guess and are effectively useless at protecting personal data.
The company says the rise of lengthier phrases, such as “1234567890”, suggests people are considering security but aren’t going any further than adding a few extra digits onto their existing insecure password. In this kind of scenario, the extra protection offered is “virtually worthless” as an attacker would be kept away for only a couple of seconds more.
Morgan Slain, CEO of SplashData, said: “We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers.”
Slain noted that using simple words like “baseball”, “football”, “dragon” and “letmein” is also a bad idea, saying: “As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.”
SplashData advises Internet users create passwords with a mixture of letters, numbers and special characters and ensure the resulting phrase is at least 12 characters long. Ideally, a different password should be used on each website or a password manager to store phrases that are hard to remember.
Researchers are currently building new security systems that will replace passwords in the future but until then it’s essential the humble strings of characters are approached seriously if they’re to be any use at all.
One way of making passwords easier to remember involves using poetry to create long, unique phrases that naturally include punctuation and different character cases. Last year, two security researchers published a paper demonstrating the idea, using the age-old memory trick of rhyming sentences to avoid the issue of forgotten passwords.
