The worst passwords of 2016

Earlier this year, SplashData released its sixth annual report on the most commonly used passwords, and, for the sixth year in a row, “123456” and “password” took the top two spots.

Nearly 4% of people used the most common password, “123456”, and over 10% used one of the top 25, according to the Worst Password report. The data comes from more than five million passwords leaked over the past year.


Don’t rely on minor modifications

Not only are “password” or “123456” the top two entries, minor variations of them appear throughout the list. The top ten is filled with common words and strings of numbers:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. football
  6. qwerty
  7. 1234567890
  8. 1234567
  9. princess
  10. 1234

In addition, two variations of “password” – “passw0rd” and “password1” – also appear in the top 25, alongside more simple number patterns like “1234” and “121212”.

“Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies,” Morgan Slain, CEO of SplashData, said in a statement. He added that he hoped SplashData’s research will help people realise how risky it is to use common logins and to help them take steps to strengthen their passwords.

After six years, though, SplashData’s reports appear to be having minimal impact. Passwords may be becoming superficially more complex but they are not any more secure.

“We have seen an effort by many people to be more secure by adding characters to passwords,” Slain said, “but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers.”


What makes a good password?

SplashData advises using passwords with twelve or more characters that mix letters, numbers and special characters.

Length is not the only determiner of password security. After all, even with a six-character password, there are literally billions of combinations – 735,091,890,625 to be exact. To get the most of a password, SplashData recommends the following:

Don’t just use words: rather than using a word that can be found in a dictionary, use a coded phrase. Hackers often use dictionaries as part of brute-force attacks, so obscuring words will make passwords harder to guess. Mnemonics and other ciphers are good techniques, while obvious substitutions (such as ‘0’ for ‘o’) should be avoided.

Don’t reuse passwords: using the same password for multiple logins means that if one account is breached, the others are also vulnerable. If a hacker gets access to one account, they often try the same password for other logins. Simply adding numerals to the end of a password does not make it sufficiently different, as this is a common technique that hackers are prepared for.

Use a password management app: having numerous complex passwords can be hard to remember. Password management applications allow users to organise their passwords, and they can be used to generate new ones.

Subscribe to the Weekly Roundup for all the latest cyber security news and advice.

Subscribe to our weekly newsletter

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.