Every year, security applications provider and password management company, SplashData, publishes a report revealing the worst passwords of the past twelve months. To conduct their report, SplashData examined over 3.3 million passwords that had been leaked online throughout the past year. Their 2015 report (published on the 20th January 2016) reveals that “123456” and “password” again taking the top spot of the most common passwords.
While the passwords in 2015 became longer, presumably driven by an awareness of the need to increase security, many of those longer passwords remained simple and were created with the simple addition of more numbers or letters in the sequence.
You can see the list of most popular passwords below, along with their change in ranking from the previous year. As you can see, many of the passwords are appalling.
|Rank||Password||Change from 2014|
Though there are some recurring themes in people’s passwords this year, there are also some new trends. Sports remain popular for password choices, such as “football” and “baseball”, which have both climbed the list since the 2014 report.
Other trends mark more of a difference: the most noticeable shift is perhaps down to the release of “Star Wars: The Force Awakens”, with people going for related choices such as “Princess”, “solo” and “starwars” for their passwords. It is rather a testament to the film’s popularity that these words made it onto the list of most popular passwords in 2015, marking a sharp and rapid trend in their use.
Aside from someone manually trying these passwords to try and gain access, there are much simpler ways to use common passwords to gain access to say, your WordPress site.
In a demonstration, Hackertarget used a simple tool called WPscan. Many users do not change the User from the default “Admin”. Using that user id, and say a list of the most common 500 passwords, WPScan can Bruteforce access to a WordPress installation in just 1 minute and 16 seconds, assuming your password is on the list.
Now imagine a hacker running a botnet of 1000’s of hacked computers, each running a similar hacking attempt, and then you can see how easy using a bad, or common password can be.
So whatever you do, do not use one of the Worst Passwords of 2015 listed above.
Best Practices for Choosing A Password
In the report, Splashdata offers three pieces of advice:
- Use a password or even a longer phrase which is twelve characters or more; these should also be mixed characters, such as lower and upper case letters, numbers, and symbols, with more variety always being better.
- Avoid reusing the same password or passphrase multiple times: if someone guesses it once, they are then able to try it on any other account, and this puts all your various accounts at risk.
- Use a password manager such as SplashID, LastPass or others to keep your passwords organized and managed; password managers are also able to generate random sets of characters and, therefore, help you to create more complex passwords.
You can also use a password checker, such as The Password Meter to check how secure your passwords are: simply type in your chosen password, and you can see how secure it is. This will enable you to improve it if it scores badly.