Predictably, the annual SplashData list of worst passwords is chock full of awful password security blunders. This year we see the usual repeat offenders again—keyboard patterns like “123456” and “qwerty” at the top positions, with first names like “michael” and superheroes like “batman” and “superman” all making the top 25. If there’s any consolation, “password” is not number one this year, though it is in second place.
I would like to think our readers are sophisticated enough to avoid these passwords. Have a look at the 25 Worst Passwords of 2014—but don’t poke fun, as nearly everyone is doing something wrong with the passwords they utilize.
1 123456 (Unchanged from 2013)
2 password (Unchanged)
3 12345 (Up 17)
4 12345678 (Down 1)
5 qwerty (Down 1)
6 1234567890 (Unchanged)
7 1234 (Up 9)
8 baseball (New)
9 dragon (New)
10 football (New)
11 1234567 (Down 4)
12 monkey (Up 5)
13 letmein (Up 1)
14 abc123 (Down 9)
15 111111 (Down 8)
16 mustang (New)
17 access (New)
18 shadow (Unchanged)
19 master (New)
20 michael (New)
21 superman (New)
22 696969 (New)
23 123123 (Down 12)
24 batman (New)
25 trustno1 (Down 1)
You have to laugh at 25. Was Agent Mulder from X-Files breached this year?
Keep in mind that these are the worst of the hacked; SplashData compiles the list from 3.3 million compromised passwords, so we can safely assume most aren’t as awful as the ones on the list.
Even passwords commonly thought of as “strong” are still at risk given the level of sophistication that modern hackers have with home-built supercomputers running WPA cracking Hashcat programs. If any of the following applies to your password security behavior, you’re placing yourself at risk.
Your password has fewer than eight characters. No matter the combination of special characters, capital letters, or numbers, a short password can fall victim to a brute force attack. Hackers with overclocked multiple-GPU setups are able to cycle through as many 6.2 billion password combinations every second. That is enough crack a password under eight characters in the course of an afternoon.
You’re using dictionary words. These areanother door-opener for brute force attacks, which may run through the English dictionary hunting for your password.
You’re employing the same tricks as everyone else. Replacing “e” with “3,” or “I” with “1” in a password isn’t fooling today’s hacker software either, which can run through the dictionary with commonly swapped-in numeral combinations.
You’re duplicating passwords on your accounts. This simple stop-gap measure can save your bank account if someone cracks your yoga studio’s database and compromises your username and password used to logon to that site. It’s better that hackers book a fraudulent vinyasa flow class in your name rather than empty your main checking account.
You’re caching your password in HTML web forms. All of us have selected a browser’s “remember this password” option for a web service like LinkedIn or WordPress. This caching of the username/password makes it plainly visible using the browser’s Inspect Element tool. Many sites have patched this flaw, but in older legacy corporate systems, it may still be visible via Inspect Element.
You fail to change your passwords. A moving target is harder to hit. Keep that in mind.
Your false sense of security leaves you open to phishing attacks. Users taking all the right preventative measures choosing their passwords are still prone to give it out. Phishing attacks are becoming more personalized, and in turn, more effective—research indicates that phishing costs businesses USD $5.9 billion annually in 2013. Attacks may come by way of phony e-mail, Lync message, or even a hacked website. For advice on thwarting these sorts of attacks, see: Vigilant Users Are the Best Malware Tools; 10 Steps for Effective Anti-Phishing Training
You refuse to use randomly generated passwords. The consensus that a random password consisting of letters, numerals, and special characters that is 8-12 characters in length is the most secure option. The only thing is that these passwords are difficult to remember, especially if you have to use dozens of different random passwords for all your accounts. The best bet for going this route is to use password management software. There a several options to explore.
- Steganos Password Manager is geared toward small business use.
- Security suites, like Kaspersky 3.0 and Webroot Internet Security Plus for instance, offer password managers bundled in.
Just because you’re not using “logmein” for a logon password doesn’t mean you or your users can let your guard down. The number one rule about password security is that you can never be too careful.
6 comments
I prefer using an obscure language, like Klingonese…(no, that isn’t the one I use, so don’t look for the Klingon dictionary, hackers!)
Mine are in Dothraki.
[…] You’re Making Password Security Mistakes […]
[…] are lousy means of protecting sensitive data largely because users have the tendency to choose laughably bad passwords. Even having a great password does not offer total security either; WIRED writer Mat Honan tells […]
Full of wrong.
Nist recently released a draft paper on password security that is exactly what many of us have been saying for years.
Random passwords, rotated regularly, and an infosec disaster.
There is a finite limit to how many random digits a person can remember.
And a password manager is a pretty lame solution for a host of reasons.
Fact is, show me an org that enforces that practice, and I’ll show you a facility I can walk through flipping keyboards and harvesting passwords .
What makes a lot more sense is pass phrases.
But you have to allow enough characters to allow free form password composition.
For run of the mill passwords, I suggest my users simply pick out three objects and munge them together.
For more secure passwords, they may need to add words and use substitutions and odd characters.
We also enforce 2-factor in our systems.
It’s not that hard to remember:
ToDaywhenIcreatedthispasswordwasacrappydayindeed
than it is to remember some random string.
It doesn’t need to be written anywhere, and doesn’t require a password manager.
It should never have to be changed unless there is reason to believe it’s been compromised.
I have about two dozen like that.
None are written or stored anywhere outside my head.
How about hollermountain4ever and dontshipthecoldbrew for the Stumptown domain?
That’s a good look on the 2016 NIST paper, thanks for pointing that out.
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
I like the change in direction since this article was published, particularly:
* No forced PW updates for users
* Allowance of more characters for phrase-style PWs
* and wow, Emoji support
… with that, time to update this article.