Weakest, common passwords of 2014 revealed

A study of more than 3.3 million passwords leaked in 2014 has been released, exposing the most overused, predictable passwords.

SplashData released the annual top 25 most common passwords, which represent 2.2% of the 3.3 million leaked passwords studied. According to PC Advisor, this represents a decrease, although by our calculations that still means over 72,000 of the passwords leaked in the sample were in this list. PC Advisor speculates that the decline may be down to a wider awareness of the importance of security, with a number of high profile password leaks pushing the issue up people’s agendas in the last year.

That doesn’t change the top two from remaining the same as 2013, though, with the worryingly weak ‘123456’ and ‘password’ occupying the top slots. Elsewhere in the list though, a number of single word new entries emerge, including ‘michael’, ‘mustang’, ‘baseball’, ‘football’, ‘superman’, ‘batman’ and ‘dragon.’ The last of these, CNET speculates, may owe to the growing popularity of Game of Thrones.

Morgan Slain, CEO of SplashData said of the 2014 password list: “As always, we hope that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites.”

The full list is published below. As security expert David Harley noted in a post on the corresponding list from 2012, there is still the strong inclination towards numeric patterns.

RankPasswordChange from 2013

For tips on ensuring your password is up to scratch, be sure to watch the We Live Security video below:

Author , ESET

  • Martin Forde

    password by length is the way to go. for example 111111111111111111 would still take several years to crack through bruteforce methods. or if you made it something memorable like your address 900W.HomeSt.NoWhereVilleMa,12345 would be practicably uncrackable.

    • Brute-force attacks tend to be comparatively slow if the password is any use at all. But your first example would probably fail well within the first second of a dictionary attack, and the second might fail quite quickly if the attacker knew anything about you personally. A brute force attack doesn’t have to be an attacker’s primary tactic.

      • EtherTraveller

        Very poor examples for choosing a strong password. The only one that made any sense was creating an acronym by using a phrase that you will be easily remember. Use The first letter of each word. “Mary had a little lamb” but not as lame as that. In your example of creating an acronym you type the whole thing uppercase as opposed to a mix of upper and owercase and numbers, which is what you recommended in a prior example. Try spending a little more time on your own recommendations. For others out there just Google “Bruce Schnier strong passwords” and read his recommendations. They are probably the best ones. Plus he is a well respected cryptographer mathematician.

  • IPleadthe2nd

    An AES Encryption Key with 26 random (including punctuation) characters not containing a word in the dictionary would take thousands of years to crack. An attacker has better things to do with his time, like look for easier targets.

Follow us

Copyright © 2017 ESET, All Rights Reserved.