Each year for the past several years the password-management-software firm, SplashData, has released a list of the most common passwords found in data dumps leaked online of passwords stolen during the past year. The list for 2015 reveals a lot about how people pick passwords, and provides a wake up call for people working in information security departments – including those studying for certification exams – as to how much training and education is needed when it comes to passwords, how badly the world needs better designed and implemented password policies, and how strongly many organizations need technology to enforce such policies.
Here is the list of the most common 25 passwords of 2015 as found in the various lists of passwords that leaked online after from breaches:
1. 123456 (Unchanged since 2014)
2. password (Unchanged since 2014)
3. 12345678 (Up 1 spot since 2014)
4. qwerty (Up 1 spot since 2014)
5. 12345 (Down 2 spots since 2014)
6. 123456789 (Unchanged since 2014)
7. football (Up 3 spots since 2014)
8. 1234 (Down 1 spot since 2014)
9. 1234567 (Up 2 spots since 2014)
10. baseball (Down 2 spots since 2014)
11. welcome (New)
12. 1234567890 (New)
13. abc123 (Up 1 spot since 2014)
14. 111111 (Up 1 spot since 2014)
15. 1qaz2wsx (New)
16. dragon (Down 7 spots since 2014
17. master (Up 2 spots since 2014)
18. monkey (Down 6 spots since 2014)
19. letmein (Down 6 spots since 2014)
20. login (New)
21. princess (New)
22. qwertyuiop (New)
23. solo (New)
24. passw0rd (New)
25. starwars (New)
I analyzed the list in detail in a piece that appeared in Inc. this past week. But in addition to the specific analysis that I provided for a general audience in that article, there are some important points of which people studying for certification exams should take a special note:
- Policies can be worthless if you do not utilize technology to enforce the policies. By now, policies pretty much everywhere prohibit using passwords like “123456” and “password” – but those two, weak passwords are apparently still the most common two passwords in use.
- People make the same mistakes over and over. It does not matter how many times you tell them not to use the password “password,” it does not matter how many times using the password “password” has been mocked in the media, and it does not matter how many times accounts with password “password” have been breached by criminals in the past. “Password” is an easy password to remember, and people just don’t care. It is your job as a security professional to ensure security even when people don’t care -- and, in many cases, to help make them care.
- Beware pop culture trends – In 2015 "solo" and "star wars" became popular passwords due to the release of the new Star Wars movie. There will be other trending topics in 2016 – and there will be plenty of attempts at creating weak passwords based on them as a result. Make sure to educate people accordingly – and to implement technology to prevent problems.
- Don’t react to poor passwords by creating policies that cause other password problems. Requirements for longer passwords might have caused “1234567890” to enter the list of top passwords for the first time this year – but that password is hardly strong. I have written several pieces about setting up proper password policies and selecting proper passwords. Do not demand that people use overly complex passwords for systems that do not warrant them, and do not require people to create passwords that few people can possibly remember. Remember, if you make security difficult for people they will resent you – which can lead to security problems as well.
Loved the article? Can’t wait to take on the world of Information Security? Get a professional certification to position yourself at the front of the pack – and we’ve got special rates for our readers!