Do you use any of the worst passwords of 2016?
It is time to talk about passwords again. They are like the seatbelts of the security world. There are many more exciting security tools but few are as important to keeping you safe from the risks you encounter day to day.
Splash Data recently released their list of the most common passwords from 2016 based on over five million stolen and leaked credentials.
Clearly things have improved and password requirements and gotten more stringent because the winner is no longer 1234, which has dropped to #11. It is now 123456! Second place goes to that perennial favorite “password” and we see12345 in third place.
Rather than showing how stupid people are I think this shows just how many passwords we are asked to create, keep track of, and change. I have over 1500 passwords right now. Asking humans to create, manage, and remember unguessable and unique passwords for all those sites is absurd. Humans tend to fall back on a couple of strategies. Some people have one good password that they use on all of their important websites, and a really simple one for all the other websites. Other people will create a simple pattern for generating passwords for each site like adding a word to the name of the site. The password for Facebook might be “fluffy3Facebook!" and Wells Fargo might be "fluffy3WellsFargo!”. Those would pass most tests for length, capitalization, numbers, and special characters, but if an attacker was able to discover one of them they could easily guess all the others. Random passwords are the gold standard but long random passwords are very hard to remember. Pass phrases can make long passwords memorable but it is still very hard to remember a thousand of them without resorting to a simple pattern.
My suggestion is to use a password managers (also called password vaults) like 1Password, Dashlane, or LastPass. Any of these will store all of your passwords, make them securely available across your devices, and automatically fill them in on web forms. They will also generate long random passwords for you, which you never need to bother trying to remember. For example, a typical password for me would be "kGAg2{MgHm8[cvrG7WE=“ which is very strong.
I do still need to remember one password, the one that secures the passwords in the vault. That is where the pass phrase really shines. That one memorable phrase protects all the impossible to remember unique and strong passwords. That phrase could be something like “H8 it when Fluffy poops on the rug, but love him all the time!” which is easy to remember, very hard to guess, and you only need one.
If you do just one thing for your security this year, get a good password manager and start changing all of your passwords to be strong and unique every time you go to a site.
For the curious, here is the full list of the 25 most common passwords:
- 123456
- password
- 12345
- 12345678
- football
- qwerty
- 1234567890
- 1234567
- princess
- 1234
- login
- welcome
- solo
- abc123
- admin
- 121212
- flower
- passw0rd
- dragon
- sunshine
- master
- hottie
- loveme
- zaq1zaq1
- password1