Passwords are well known as the first line in your cyber defence against unauthorised access. However, a recent survey by SplashData has discovered that many people continue to use simplistic passwords that are easy to crack. The most popular password on the web is, unbelievably, ‘123456’. The second most common password is: ‘password’. Despite the high profile data leaks in recent years it is still apparent that employee education on how to maintain cyber-hygiene is more important than ever.
An estimated 3.3 million passwords were leaked during 2014. It was this data that was used to build up a picture of the most common passwords. Common names are also in the top 100 passwords. The full list of the top 25 can be found here.
Any password based on a sequence, particularly one as simple as numerical order, is extremely weak as a password as hacking software can identify frequent patterns, including words written backwards. It should therefore worry users who use simplistic passwords, as this leaves users at risk of online fraud and identity theft. Moreover, using a simplistic password across all multiple accounts can jeopardise your safety even more.
If you use the same password for something that would be relatively benign if hacked, such as a username for an online forum or blog, but also use the same password for your email account or some account that deals with money, such as Amazon or Paypal, then cyber criminals can hack all of your accounts.
Nevertheless, there is a positive side to this story. Whilst the top 25 most common passwords were full of simplistic passwords such as ‘123456’ and ‘password’ they only accounted for 2.2% of the total number of leaked passwords. Just four years ago the 25 most common passwords accounted for 6% of the total number of leaked passwords.
Moreover, due to the methodology that was used to compile the data all of the passwords in the list are those that were cracked. Therefore, it is likely that weaker passwords are over-represented as strong passwords would have been less likely to be hacked and leaked in the first place.
Obviously, a strong password is only one line in your cyber defence but it must not be the only one. The most sophisticated forms of hacking hardware can cycle through as many as 350 billion guesses-per-second. As such, it is imperative to have a strong firewall and good user education to prevent unauthorised access. However, a PC or other form of device is safer with a strong password than without one.
The main reason why people continue to use simple passwords is that they perceive a trade-off between a password that is weak but easy to remember and a password that is strong but difficult to remember. It is well known that a strong password is one that contains upper and lower case letters, numbers, punctuation and isn’t a complete word, especially one relevant to your company or personal details as these may be easily guessed. However, here are some other tips on how to make a stronger password:
- Do not use the same password for everything. For reasons mentioned earlier this can jeopardise your online safety. If you want to use a similar password for each online account then keep them similar with small changes. Try to include punctuation and/or capital letters so that the passwords are relatively different. Similarly:
- Do not use the same password for every computer in your organisation. This may jeopardise security in a similar manner to you personally using the same password across multiple account.
- Don’t store your passwords on your computer. Creating a strong password for every account you create on the internet may seem tiresome, particularly as the internet has become so pervasive and internet-users have accounts for many different websites or functions. Many people might wish to write down their passwords in a document on their computer so they can easily store them without remembering them. However, if you keep your passwords in a document on your computer (especially if the name of the document is ‘passwords’!) then you compromise your safety in the same way as using the same password for everything. Writing down your passwords on a sticky and leaving them lying in your workplace is likewise dangerous. However, if you choose to write your passwords down then it is in fact safer to write them down physically on a piece of paper (as long as it is kept relatively safe) despite what common wisdom might suggest.
- “Treat your password like your toothbrush – don’t let anyone else use and get a new one regularly” – Clifford Stoll. You should also change your password immediately if there is a widely publicised mega-breach in the news relating to one of your accounts, such as the recent eBay hack in 2014.
SplashData’s list of the top 25
1 123456 (Unchanged from 2013)
2 password (Unchanged)
3 12345 (Up 17)
4 12345678 (Down 1)
5 qwerty (Down 1)
6 1234567890 (Unchanged)
7 1234 (Up 9)
8 baseball (New)
9 dragon (New)
10 football (New)
11 1234567 (Down 4)
12 monkey (Up 5)
13 letmein (Up 1)
14 abc123 (Down 9)
15 111111 (Down 8)
16 mustang (New)
17 access (New)
18 shadow (Unchanged)
19 master (New)
20 michael (New)
21 superman (New)
22 696969 (New)
23 123123 (Down 12)
24 batman (New)
25 trustno1 (Down 1)