Last year, bad passwords had a bit of a Star Wars theme thanks to the long-awaited episode 7. Bad passwords included ‘solo’, ‘princess’ and ‘starwars’:
2015 worst passwords:
1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball
11. welcome
12. 1234567890
13. abc123
14. 111111
15. 1qaz2wsx
16. dragon
17. master
18. monkey
19. letmein
20. login
21. princess
22. qwertyuiop
23. solo
24. passw0rd
25. starwars
The Star Wars craze looks like it has ended, for passwords at least, but some of our old favorites including 123456 and qwerty remain at the top of the worst passwords of 2016 list. New list additions included “mynoob” and “google” and the lucky seven 7’s (7777777). It may be lucky in Vegas, but not quite so lucky if you want to keep hackers out of your account.
2016 worst passwords:
- 123456
- 123456789
- Qwerty
- 12345678
- 111111
- 1234567890
- 1234567
- password
- 123123
- 987654321
- Qwertyuiop
- Mynoob
- 123321
- 666666
- 18atckd2w
- 7777777
- 1q2w3e4r
- 654321
- 555555
- 3rjs1la7qe
- 1q2w3e4r5t
- 123qwe
- zxcvbnm
- 1q2w3e
Shockingly, nearly 17% of accounts are safeguarded with the most popular password 123456.
“What really perplexed us is that so many website operators are not enforcing password security best practices,” says Darren Guccione, Co-founder and CEO of Keeper Security. “The list of most-frequently used passwords has changed little over the past few years.. That means that user education has limits. While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them.”
And why are some seemingly random and complex passwords on the list such as “18atcskd2w” and “3rjs1la7qe”?
According to security expert Graham Chuley, although those passwords are common, it likely was a computer that is using the same password over and over again on multiple accounts. “Human brains were responsible for choosing passwords like “123456”, “password,” and “qwerty.” But there is no way that 91,103 people independently chose to secure their accounts with “18atcskd2w,” comments Chuley. “Instead, what I believe happened is that these accounts were created by bots, perhaps with the intention of posting spam onto the forums.”
Other passwords that look smart and perhaps seem complex, like “1q2w3e4r” and “123qwe”, but in reality they are actually very simple for password crackers to break since they involve a pattern and are not quite as random as users choosing them might think.
Darren Guccione, Co-founder and CEO of Keeper Security, also adds that websites allowing short passwords of under six characters are being irresponsible. “Today’s brute-force cracking software and hardware can unscramble those passwords in seconds. Website operators that permit such flimsy protection are either reckless or lazy.”
Keeper Security offers three tips to avoid falling victim to hackers in 2017:
1: Use a variety of characters – and we’re not talking about your favorite Star Wars characters either. This should include special characters, upper and lower case characters, and numbers.
2: Avoid common or dictionary terms. Common phrases and words are easy for brute attacks to crack.
3. Use a reputable password manager. Make sure you research your password manager as they have all your critical data and it would be devastating if your information were compromised.
Elizabeth Becker is the Client Partner of IT Staffing Firm PROTECH, www.protechitjobs.com. Her hiring and recruiting expertise has been featured in a variety of publications including The Ladders, Recruiter.com, Monster, LinkedIn, Tech.co and more. You can reach her with comments, feedback or to be featured in an upcoming story at elizabethb@protechfl.com.
