2016 Most Common Passwords Reveal Alarming Trends
Last week, SplashData, a provider of password management technology, released its annual list of the most common passwords found among the millions made public through various breaches in the 2016. Below, I address some important lessons for information security professionals that emerge from the list. (Please note that in this piece I will not discuss the ethical questions related to utilizing stolen password data for the purpose of creating such a list.)
Here is the list of most common passwords from 2016:
1) People are still picking weak passwords, and sites are letting them do so. If you do not force people to pick strong passwords, you should expect many to pick extremely poor passwords that are likely to be broken by password-cracking software within the first second of being run. Information on how to pick strong passwords that are easy to remember can be found in the article How to Create Strong Passwords that You Can Easily Remember.
2) Many of the passwords on the list have also appeared on the list in prior years – meaning that people have not only been using weak passwords in general for quite some time but they also continue to use specifically the passwords that were most commonly used at the breached sites. This creates a serious risk, as hackers are clearly likely to try those passwords early on when attempting to break into systems and accounts.
3) To some extent, even the weak passwords are getting weaker – last year, for example, “12345678” was more popular than” 12345” – but that is no longer the case. I say “to some extent,” because despite the theoretical improved strength of the longer password, every decent password checker is going to try both of these combinations within the first second of running. So both are ineffective; saying that one is stronger than the other is like comparing the value of a 1 inch bandage and a 2 inch bandage when someone will die without a tourniquet.
4) While “star wars” – which was on the list last year – dropped off the list this year, other Star-Wars-related passwords – “solo” and “princess” – moved up to much higher places on the list, reinforcing the problem that pop culture concepts become passwords. (“Princess” might be independent of Star Wars – but still connected to the culture.) Keep in mind that criminals know this as well – and some password cracking tools load in popular terms to try early on in the cracking process.
5) “Passw0rd” appeared on the list. Substituting a 0 for an o, a 1 for an l, a 4 for an h, etc. may add theoretical strength, but, because many password crackers are programmed to try these possibilities, the added theoretical strength may deliver very little extra security from a practical standpoint.
6) “admin” – which is a default login for various networking equipment – is a common password, making me wonder how many of the folks using this password are technically-savvy people.
7) 1234 is on the list – meaning that many sites still have password length requirements that are too short.
About the On-Demand Webinar
About the Webinar