‘Password’ no longer weakest choice as ‘123456’ surges into first place

Password

0

Password security company Splashdata has released a new version of its annual list of the world’s worst passwords – and ‘password’, last year’s number one, has been unseated by ‘123456’.

The company compiles its list from databases of stolen passwords posted online, with the ‘worst’ passwords being the most commonly used – this year’s list was influenced by the huge security breach at Adobe, where two million users chose 123456 as their password, as reported by We Live Security here.

Morgan Slain, chief executive of SplashData, told Yahoo News  that: “Seeing passwords like ‘adobe123′ and ‘photoshop’ on this list offers a good reminder not to base your password on the name of the website or application you are accessing.”

The list of stolen passwords was published online by security consulting firm Stricture Consulting Group following the breach. SplashData’s annual list is widely reported – and aired on the Today show – but despite the publicity, users continue to use weak passwords.

The company said in its official statement that the list, “shows that many people continue to put themselves at risk by using weak, easily guessable passwords. Some other passwords in the Top Ten include “qwerty,” “abc123,” “111111,” and “iloveyou.”

“Another interesting aspect of this year’s list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies,” Slain said. “For example, new to this year’s list are simple and easily guessable passwords like “1234” at #16, “12345” at #20, and “000000” at #25.”

“As always, we hope that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites.”

Rank

Password

Change from 2012

1

123456

Up 1

2

password

Down 1

3

12345678

Unchanged

4

qwerty

Up 1

5

abc123

Down 1

6

123456789

New

7

111111

Up 2

8

1234567

Up 5

9

iloveyou

Up 2

10

adobe123

New

11

123123

Up 5

12

admin

New

13

1234567890

New

14

letmein

Down 7

15

photoshop

New

16

1234

New

17

monkey

Down 11

18

shadow

Unchanged

19

sunshine

Down 5

20

12345

New

21

password1

Up 4

22

princess

New

23

azerty

New

24

trustno1

Down 12

25

000000

New

ESET Senior Research Fellow David Harley says that in cases such as the Adobe breach, even users with “strong” passwords are at risk – and should think carefully about other sites where they may have used the same password:“Where your login credentials have been revealed, it’s obviously a good idea to change your password, and in fact the compromised site may force you to do so. However, an attacker is likely to assume that you use the same credentials on other sites, and he may try them on other sites of interest to him. (Of course, they may not be sites of interest to you.) So it’s a good idea (if an irksome task) to change your password on other sites that do use the same credentials.”

While no password, however complex, can offer complete protection – a cybercriminal with sufficient time and password-cracking software will eventually break any password – using such weak passwords allows criminals to access accounts more quickly. A We Live Security guide to creating stronger passwords is here.

ESET Senior Research Fellow David Harley warns against ‘quick fixes’ for password changes, such as simply adding numbers to the end of an existing password, saying that these too are easy prey for crackers, “Where the site requires you to change your password periodically but allows you to do so by appending a number. Password cracking 101.”

A We Live Security guide to what to do in the event of a breach can be found here.

 

Author Rob Waugh, We Live Security

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.