So, naturally, people look for shortcuts, choosing simple-to-remember but also easy-to-crack passwords, making them essentially worthless.
SplashData created its list of worst passwords by counting up the most common passwords out of over 2 million passwords leaked in the past year.*
And just like every year since 2011, when SplashData first released its list, the top two most common passwords (and therefore, the worst) are “123456” (#1) and “password” (#2).
The list has remarkable consistency to last year’s: nine of the top 10 passwords from 2014 also made the top 10 for 2015 – “dragon” dropped from #9 to #16 – with some slight reordering (e.g., “12345” moved from #3 in 2014 to #5 on 2015’s list).
Others in the top 10 worst passwords of 2015 include “12345678” (#3), “qwerty” (#4), “football” (#7) and “baseball” (#10).
There are some new additions this year – “welcome” debuted at #11 on the list, and “1234567890” comes in at #12.
Other newcomers include “1qaz2wsx” (#15 – these characters come from the first two columns of the keyboard), and “qwertyuiop” (#22 – taken from the top row of letters on the keyboard from left to right).
Also new on the list are several passwords inspired by one of the year’s most popular cultural events – the release of the new “Star Wars” movie: “princess” (#21), “solo” (#23) and “starwars” (#25).
Some of the passwords on the 2015 list are longer than in past years – for example, the 10 characters in “1234567890.”
There could be a simple explanation for that – many websites now try to force us into creating stronger passwords through use of password strength meters and minimum character requirements.
But these methods fail too.
A 10-digit password has 1 million times more possible combinations than a four-digit password, but that’s not nearly complex enough to get in the way of password-cracking software.
As SplashData CEO Morgan Slain said, longer passwords based on simple patterns leave users just as vulnerable to hackers:
We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers.
So what can we do about the password problem?
Some technology companies, banks, websites and security researchers are trying to kill the password in favor of other forms of authentication, including biometric authentication by fingerprints, faces, irises, gestures and voices; and some weird-sounding ideas like using our thoughts or the unique patterns of our brain activity for authentication.
In the meantime, passwords are an unfortunate necessity, so we need to continue encouraging our friends and family to follow some pretty simple advice on how to create better, more secure passwords.
Tips for creating more secure passwords
1. Make your passwords hard to guess.
Avoid using things like your name, birthday, pet’s name, etc., that would be easy for another person to figure out. And don’t use those easy-to-guess words/numbers with trivial modifications, such as changing “a” to “@” and so on.
2. Make them as long and complex as you can.
Use at least 14 characters, mixing letters, numbers and special characters in hard-to-guess patterns. Another popular method is to combine several unrelated words or phrases, like the famous XKCD password correcthorsebatterystaple.
3. Consider using a password manager.
Password managers can generate long, complex and random passwords, and remember them for you. Just make sure to create a really strong password for the password manager itself (and consider using two-factor authentication if you can), so a crook can’t grab all your passwords at once.
4. One account, one password.
Criminals who get a hold of one of your passwords will try it out on multiple accounts. Don’t reuse passwords – each of your accounts should have a unique password.
Here is a short and straight-talking video that not only shows you how to pick a proper password, but also explains why you should bother.
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
*The 2 million passwords used to compile the worst passwords list come from published lists of leaked passwords, representing a wide variety of sites, with no single leak representing a large portion of the sample. However, a SplashData spokesman said the company tries to exclude passwords from adult websites, “since those tend to be over-weighted in leaks, and the kinds of passwords people use on adult sites tend to be different from passwords they use on other sites (i.e., a lot more naughty!).”