Predictably, the annual SplashData list of worst passwords is chock full of awful password security blunders. This year we see the usual repeat offenders again—keyboard patterns like “123456” and “qwerty” at the top positions, with first names like “michael” and superheroes like “batman” and “superman” all making the top 25. If there’s any consolation, “password” is not number one this year, though it is in second place.
I would like to think our readers are sophisticated enough to avoid these passwords. Have a look at the 25 Worst Passwords of 2014—but don’t poke fun, as nearly everyone is doing something wrong with the passwords they utilize.
1 123456 (Unchanged from 2013)
2 password (Unchanged)
3 12345 (Up 17)
4 12345678 (Down 1)
5 qwerty (Down 1)
6 1234567890 (Unchanged)
7 1234 (Up 9)
8 baseball (New)
9 dragon (New)
10 football (New)
11 1234567 (Down 4)
12 monkey (Up 5)
13 letmein (Up 1)
14 abc123 (Down 9)
15 111111 (Down 8)
16 mustang (New)
17 access (New)
18 shadow (Unchanged)
19 master (New)
20 michael (New)
21 superman (New)
22 696969 (New)
23 123123 (Down 12)
24 batman (New)
25 trustno1 (Down 1)
You have to laugh at 25. Was Agent Mulder from X-Files breached this year?
Keep in mind that these are the worst of the hacked; SplashData compiles the list from 3.3 million compromised passwords, so we can safely assume most aren’t as awful as the ones on the list.
Even passwords commonly thought of as “strong” are still at risk given the level of sophistication that modern hackers have with home-built supercomputers running WPA cracking Hashcat programs. If any of the following applies to your password security behavior, you’re placing yourself at risk.
Your password has fewer than eight characters. No matter the combination of special characters, capital letters, or numbers, a short password can fall victim to a brute force attack. Hackers with overclocked multiple-GPU setups are able to cycle through as many 6.2 billion password combinations every second. That is enough crack a password under eight characters in the course of an afternoon.
You’re using dictionary words. These areanother door-opener for brute force attacks, which may run through the English dictionary hunting for your password.
You’re employing the same tricks as everyone else. Replacing “e” with “3,” or “I” with “1” in a password isn’t fooling today’s hacker software either, which can run through the dictionary with commonly swapped-in numeral combinations.
You’re duplicating passwords on your accounts. This simple stop-gap measure can save your bank account if someone cracks your yoga studio’s database and compromises your username and password used to logon to that site. It’s better that hackers book a fraudulent vinyasa flow class in your name rather than empty your main checking account.
You’re caching your password in HTML web forms. All of us have selected a browser’s “remember this password” option for a web service like LinkedIn or WordPress. This caching of the username/password makes it plainly visible using the browser’s Inspect Element tool. Many sites have patched this flaw, but in older legacy corporate systems, it may still be visible via Inspect Element.
You fail to change your passwords. A moving target is harder to hit. Keep that in mind.
Your false sense of security leaves you open to phishing attacks. Users taking all the right preventative measures choosing their passwords are still prone to give it out. Phishing attacks are becoming more personalized, and in turn, more effective—research indicates that phishing costs businesses USD $5.9 billion annually in 2013. Attacks may come by way of phony e-mail, Lync message, or even a hacked website. For advice on thwarting these sorts of attacks, see: Vigilant Users Are the Best Malware Tools; 10 Steps for Effective Anti-Phishing Training
You refuse to use randomly generated passwords. The consensus that a random password consisting of letters, numerals, and special characters that is 8-12 characters in length is the most secure option. The only thing is that these passwords are difficult to remember, especially if you have to use dozens of different random passwords for all your accounts. The best bet for going this route is to use password management software. There a several options to explore.
- Steganos Password Manager is geared toward small business use.
- Security suites, like Kaspersky 3.0 and Webroot Internet Security Plus for instance, offer password managers bundled in.
Just because you’re not using “logmein” for a logon password doesn’t mean you or your users can let your guard down. The number one rule about password security is that you can never be too careful.