Worst Passwords of 2016 Revealed

The worst passwords of 2016 have been revealed by SplashData. This year’s report shows the same mistakes are still being made by end users. Even though the use of weak passwords is a major security risk, end users are still opting for passwords that are easy to remember and simplicity is often favored over security.

To compile the list of the worst passwords of 2016, SplashData researchers trawled through millions of stolen credentials that had been dumped online.  In total, more than 5 million passwords were assessed and sorted to find the most common passwords in use. The results of SplashData’s analysis do not make for pleasant reading. It would certainly not take a hacker to guess many of the passwords on the list.

SplashData’s password analysis showed that not only are ridiculously weak passwords still being chosen, they are being chosen by huge numbers of individuals. The most commonly used password was used to ‘secure’ 4% of accounts, and a similar number were protected by the second most popular password choice.

The top two passwords in SplashData’s list of the worst passwords of 2016 are the same as last year – 123456 and password. Many users do not even use 6 characters for passwords. Two of the most popular choices are only four characters long – solo and 1234.

There has been a cursory attempt to make certain passwords more secure, although adding a single number to the end of ‘password’ does not come up to the required standard for security. Replacing numbers with letters is also not as secure as many people believe.

Passw0rd – number 18 in the list – would not pose a problem to a hacker. It would certainly be one of the first passwords to use in a brute force attack. As Morgan Slain, CEO of SplashData, Inc. explained, “Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies.”

Variations of ‘password’ are all too commonly used. Even John Podesta allegedly used a ‘password’ variation to secure one of his accounts. Weak passwords didn’t work out too well in his case.

The majority of passwords in the list are either all letters or all numbers, with sequential numbers the most popular choices. In addition to 123456 and 1234, 1234567, 12345678, and 1234567890 also make the top 25 list. A new entirely numerical password has made the list this year, although 121212 is not secure by any stretch of the imagination.

SplashData’s List of the Worst Passwords of 2016

  • 123456
  • password
  • 12345
  • 12345678
  • football
  • qwerty
  • 1234567890
  • 1234567
  • princess
  • 1234
  • login
  • welcome
  • solo
  • abc123
  • admin
  • 121212
  • flower
  • passw0rd
  • dragon
  • sunshine
  • master
  • hottie
  • loveme
  • zaq1zaq1
  • password1

With so many passwords to remember, it can be difficult to keep track of them all, but the solution is not to use simple passwords. A password manager is the solution. Password managers allow huge numbers of complex passwords to be stored, which means a separate password can be used for each platform. Since many of the password managers are free to use, there really is no excuse for not using a complex, strong password.

Tips for Choosing Strong Passwords:

  • Choose a password containing between 9 and 20 characters
  • Use combinations of numbers, letters, and symbols
  • Use upper and lowercase letters
  • Include at least one number, one capital letter, and one symbol in each password
  • If you don’t want to use a password manager, use a long pass phrase rather than a password
  • Do not simply add numbers to the end of an easy to remember word
  • Never use a password on more than one platform
  • Never recycle old passwords
  • Change your passwords every month

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news