This last year has brought an increased emphasis on online security—what with the PlayStation Network breach, seemingly endless stories of services, companies, and governments losing personal data or seeing their systems compromised (Valve, Sony, and RSA all spring to mind), one might think consumers would be more careful with passwords on their email and social networking accounts, mobile devices, and even online banking. According to a report published by SpashData—makers of password management software, that’s not really true. SpashData looked at files containing “millions” of stolen passwords that were posted online by cyberattackers in the last year, and has compiled a list of the 25 most common passwords it found. At the top of the list: “password.”
“Hackers can easily break into many accounts just by repeatedly trying common passwords,” said SplashData CEO Morgan Slain, in a statement. “Even though people are encouraged to select secure, strong passwords, many people continue to choose weak, easy-to-guess ones, placing themselves at risk from fraud and identity theft.”
SpashData’s sample is admittedly biased: its list comprises the 25 most common passwords it found in lists of accounts that had been cracked—meaning accounts with more-secure passwords aren’t even in the sample set. There’s also no indication whether these accounts represent real people or simply accounts created by automation or for testing purposes: there’s no way of knowing whether guessing the password to any one of those accounts would actually have a harmful result. Nonetheless, the results seem to indicate a rather shocking naiveté from everyday Internet users.
According to SplashData, the 25 most common passwords cracked by cyberattackers are:
- password
- 123456
- 12345678
- qwerty
- abc123
- monkey
- 1234567
- letmein
- trustno1
- dragon
- baseball
- 111111
- iloveyou
- master
- sunshine
- ashley
- bailey
- passw0rd
- shadow
- 123123
- 654321
- superman
- qazwsx
- michael
- football
One interesting entry is “passw0rd”—many people think they’re secure from dictionary attacks if they simply change out a letter for a numeral.
Security experts generally recommend a password be at least eight characters long, contain a mix of upper- and lower-case letters, numbers, and allowable punctuation. However, from a usability standpoint, those sorts of “secure” passwords are difficult for users to remember and use—meaning they often wind up on sticky notes next to a monitor or in a file or note labelled “password,” further compromising users’ security.
“If you have a password that is short or common or a word in the dictionary, it’s like leaving your door open for identity thieves,” Slain said.
Another approach is to create rather long passwords from strings of seemingly, unrelated, ordinary words: those passwords are generally easier to type and remember, although they often aren’t accepted by systems that enforce rules about password length or requiring special characters.
[Comic via the excellent xkcd: http://xkcd.com/936/]
[Image via Shutterstock]